Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nod32 Vbs/autorun.g Worm And .vbs Vbs/autorun.b Worm


  • This topic is locked This topic is locked
15 replies to this topic

#1 jnixon

jnixon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 31 July 2008 - 02:46 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:59 PM, on 7/31/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\WatchGuard\wsm9.0\wfs\controld.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Retrospect\Retrospect Client\RemotSvc.exe
C:\Program Files\Retrospect\Retrospect Client\retroclient.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\WatchGuard\wsm9.0\wbserver\bin\wbserver.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\WINDOWS\system32\nfsclnt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mapsvc.exe
C:\WINDOWS\system32\nfssvc.exe
C:\WINDOWS\idmu\nis\nissvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Retrospect\Retrospect Client\pcpds.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hestia:8530/WSUSAdmin
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [hhctrl.ocx] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\hhctrl.ocx
O4 - HKLM\..\RunOnce: [Transman.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\Transman.dll
O4 - HKLM\..\RunOnce: [Topology Service] C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE /Service
O4 - HKLM\..\RunOnce: [Nscem.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscem.dll
O4 - HKLM\..\RunOnce: [Nscemps.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscemps.dll
O4 - HKLM\..\RunOnce: [Nsctopps.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nsctopps.dll
O4 - HKLM\..\RunOnce: [Comutil.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\comutil.dll
O4 - HKLM\..\RunOnce: [Lupage.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\lupage.dll
O4 - HKLM\..\RunOnce: [amssnap.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\amssnap.dll
O4 - HKLM\..\RunOnce: [Webshell.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\webshell.dll
O4 - HKLM\..\RunOnce: [Vprpts.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\vprpts.dll
O4 - HKLM\..\RunOnce: [Scandlgs.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\scandlgs.dll
O4 - HKLM\..\RunOnce: [LotntsUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LotntsUI.ocx
O4 - HKLM\..\RunOnce: [LDDatetm.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDDatetm.ocx
O4 - HKLM\..\RunOnce: [LDVPCtls.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPCtls.ocx
O4 - HKLM\..\RunOnce: [LDVPDlgs.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPDlgs.ocx
O4 - HKLM\..\RunOnce: [LDVPUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPUI.ocx
O4 - HKLM\..\RunOnce: [ExchngUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\ExchngUI.ocx
O4 - HKLM\..\RunOnce: [Navcorpx.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorpx.dll
O4 - HKLM\..\RunOnce: [Srvcon.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Srvcon.ocx
O4 - HKLM\..\RunOnce: [Navcorph.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorph.dll
O4 - HKLM\..\RunOnce: [Clntcon.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Clntcon.ocx
O4 - HKLM\..\RunOnce: [Scfsnap.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\scfsnap.dll
O4 - HKLM\..\RunOnce: [SAVSetup] cmd.exe /c "rmdir /s /q "C:\TEMP\Clt-Inst""
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mswmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mspmsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmps.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmlog.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\cewmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_7] regsvr32.exe /s C:\WINDOWS\system32\mspmsnsv.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\audiodev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmaspdtx.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmstream.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmnetmgr.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmidx.ocx"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_7] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_8] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_9] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\laprxy.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_12] "C:\WINDOWS\system32\logagent.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvcore.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_15] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mpg4dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_16] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_17] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_18] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\qasf.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_19] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadvd.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_20] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadve.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_22] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp43dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_23] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp4sdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_24] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmnet.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_25] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmdev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_ivf] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\ivfsrc.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmvax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_msscrnax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8ax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8ds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8dmo] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_0] C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_1] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_3] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmclien.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_4] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmstor.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_6] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmv2clt.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_7] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\blackbox.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_8] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpshell.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_9] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpasf.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_10] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpdxm.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_11] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpencen.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_12] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpsrcwp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\mpvis.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\wmpband.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_15] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\audiodev.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_19] "C:\Program Files\Windows Media Player\WMPEnc.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_20] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_21] "C:\Program Files\Windows Media Player\migrate.exe" /s
O4 - HKLM\..\RunOnce: [OE_WMPWPD_Install_2] C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\wpdsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmstor.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmclien.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmv2clt.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\blackbox.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msnetobj.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_7] C:\WINDOWS\system32\drmupgds.exe
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1572088406-1351228934-6498272-3439\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'gfi')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - ESC Trusted Zone: http://download1.eset.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1207595275437
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seaspace.com
O17 - HKLM\Software\..\Telephony: DomainName = seaspace.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seaspace.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8
O23 - Service: Big Brother SNM Server 2.30 (BigBrotherServer) - Unknown owner - C:\Program Files\Quest Software\Big Brother BTF\BBNTD\2.30\bin\bbntd.exe

--
End of file - 15247 bytes

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:34 AM

Posted 12 August 2008 - 02:40 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 jnixon

jnixon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 12 August 2008 - 01:49 PM

Thanks for the reply..I will run the scans and post the logs.

#4 jnixon

jnixon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 14 August 2008 - 11:01 AM

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows® Server 2003, Standard Edition (build 3790) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Xeon™ CPU 2.80GHz
CPU 1: Intel® Xeon™ CPU 2.80GHz
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 2047.27 MiB / 470.14 MiB
Pagefile Memory (total/avail): 3943.95 MiB / 2128.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.24 MiB

C: is Fixed (NTFS) - 30 GiB total, 3.98 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 435.56 GiB total, 3.79 GiB free.
G: is Network (NTFS)
I: is Network (NTFS)
J: is Network (NTFS)
K: is Network (NTFS)
L: is Network (NTFS)

\\.\PHYSICALDRIVE0 - DELL Array SCSI Disk Device - 465.59 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 30 GiB - C:
\PARTITION2 - Installable File System - 435.56 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\_______\Application Data
CLIENTNAME=D4GDSQF1
ClusterLog=C:\WINDOWS\Cluster\cluster.log
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=_______
ComSpec=C:\WINDOWS\system32\cmd.exe
DISPLAY=localhost:0.0
EDITOR=vi
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\_______
INTERIX_ROOT=/dev/fs/C/WINDOWS/SUA/
INTERIX_ROOT_WIN=C:\WINDOWS\SUA\
LD_LIBRARY_PATH=/usr/lib:/usr/X11R6/lib
LOGONSERVER=\\______
NUMBER_OF_PROCESSORS=2
OPENNT_ROOT=/dev/fs/C/WINDOWS/SUA/
OS=Windows_NT
Path=C:\Program Files\Windows Resource Kits\Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\MsNfs\;C:\WINDOWS\SUA\common\;C:\WINDOWS\SUA\usr\lib\;C:\WINDOWS\idmu\common;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\WatchGuard\wsm9.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.LNK
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=040a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=RDP-Tcp#48
SFUDIR=C:\WINDOWS\SUA\
SFUDIR_INTERIX=/dev/fs/C/WINDOWS/SUA/
SUA_ROOT=/dev/fs/C/WINDOWS/SUA/
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\______\LOCALS~1\Temp\b
TMP=C:\DOCUME~1\_______\LOCALS~1\Temp\b
USERDNSDOMAIN=_______
USERDOMAIN=_______
USERNAME=________
USERPROFILE=C:\Documents and Settings\________
windir=C:\WINDOWS
XAPPLRESDIR=/usr/X11R6/lib/X11/app-defaults
XCMSDB=/usr/X11R6/lib/X11/Xcms.txt
XKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB
XNLSPATH=/usr/X11R6/lib/X11/locale


-- User Profiles ---------------------------------------------------------------

_______(admin)
archive (admin)
clohman (admin)
GFI
______(admin)
______(admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Big Brother System and Network Monitor 2.30 --> MsiExec.exe /I{154ACC66-B154-4A41-A818-392ABAC9A539}
ESET NOD32 Antivirus --> MsiExec.exe /I{2204AF25-80E5-468E-B46D-795685B35DEB}
ESET Remote Administrator Console --> MsiExec.exe /I{2D648D9D-4063-4CD8-85CF-D6AF04E38E8F}
ESET Remote Administrator Server --> MsiExec.exe /I{CA015756-5E8D-4B3E-AFEE-914BCF5B52DB}
GFI EventsManager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A1D52DC-3FC7-4501-8852-6E6A6BF38A87}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® PRO Network Connections Drivers --> Prounstl.exe
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1 --> MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Baseline Security Analyzer 2.0.1 --> MsiExec.exe /I{7F231232-C309-4401-964A-2A002B6E1ED9}
Microsoft Group Policy Management Console with SP1 --> MsiExec.exe /I{CA3553E0-191B-4E2F-AD3C-82E33CB9D4E4}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Desktop Engine (SHAREPOINT) --> MsiExec.exe /X{65657C59-23A8-4974-B8E0-BA04EBD04E4F}
Microsoft SQL Server Management Studio Express --> MsiExec.exe /I{A4512736-8D63-4298-9271-5329931FA46B}
Microsoft SQL Server Native Client --> MsiExec.exe /I{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}
Microsoft Windows Server Update Services --> C:\Program Files\Update Services\Setup\WusSetup.exe /u
Microsoft Windows Server Update Services Service Pack 1 --> C:\Program Files\Update Services\Setup\WusSetup.exe /u
MSXML 4.0 SP2 (KB925672) --> MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Retrospect Client 7.5 --> MsiExec.exe /I{C2CB613B-7B45-4DF7-84A1-FD7DB11471A8}
TreeSize Professional 4.0.2 --> "C:\Program Files\JAM Software\TreeSize Professional\unins000.exe"
Utilities and SDK for UNIX-based Applications --> MsiExec.exe /I{DB88A98A-792B-4441-8E60-05A6D3E2B2C0}
WatchGuard Fireware 9.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9DD42774-61B1-4EC7-8765-06045E0461D3}\setup.exe" -l0x9 addrem -removeonly
WatchGuard System Manager 9.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5DA46C94-2DEA-4270-858D-C9852F5FAE88}\setup.exe" -l0x9 addrem -removeonly
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Resource Kit Tools --> MsiExec.exe /I{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows Server 2003 Service Pack 2 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Windows Update Agent Self update --> MsiExec.exe /I{7CBC545F-32A8-4206-AE00-7B208E210140}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type24171 / Warning
Event Submitted/Written: 07/29/2008 07:40:25 PM
Event ID/Source: 77 / CertSvc
Event Description:
The "Windows default" Policy Module logged the following warning: The Active Directory connection to ______ has been reestablished to ________.

Event Record #/Type24168 / Error
Event Submitted/Written: 07/29/2008 05:34:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.3790.3959, faulting module kernel32.dll, version 5.2.3790.4062, fault address 0x0000bee7.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type24167 / Warning
Event Submitted/Written: 07/29/2008 02:42:48 PM
Event ID/Source: 213 / LicenseService
Event Description:
Replication of license information failed because the License Logging Service on server _______ could not be contacted.

Event Record #/Type24166 / Warning
Event Submitted/Written: 07/29/2008 08:42:47 AM
Event ID/Source: 213 / LicenseService
Event Description:
Replication of license information failed because the License Logging Service on server _______________ could not be contacted.

Event Record #/Type24162 / Warning
Event Submitted/Written: 07/29/2008 02:42:46 AM
Event ID/Source: 213 / LicenseService
Event Description:
Replication of license information failed because the License Logging Service on server _____________ could not be contacted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type147644 / Error
Event Submitted/Written: 08/12/2008 08:12:50 AM
Event ID/Source: 4 / Kerberos
Event Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server DFFDSQF1$. The target name used was cifs/ECR.______.com. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (_______), and the client realm.
Please contact your system administrator.

Event Record #/Type146883 / Error
Event Submitted/Written: 08/08/2008 02:08:28 PM
Event ID/Source: 4 / Kerberos
Event Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server DFFDSQF1$. The target name used was cifs/ECR.______.com. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (_________), and the client realm.
Please contact your system administrator.

Event Record #/Type146830 / Error
Event Submitted/Written: 08/08/2008 00:51:20 PM
Event ID/Source: 4 / Kerberos
Event Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server DFFDSQF1$. The target name used was cifs/ECR._____.com. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (__________), and the client realm.
Please contact your system administrator.

Event Record #/Type146795 / Error
Event Submitted/Written: 08/08/2008 10:52:17 AM
Event ID/Source: 4 / Kerberos
Event Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server DFFDSQF1$. The target name used was cifs/ECR._________.com. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (_____________), and the client realm.
Please contact your system administrator.

Event Record #/Type146726 / Error
Event Submitted/Written: 08/08/2008 08:36:33 AM
Event ID/Source: 4 / Kerberos
Event Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server DFFDSQF1$. The target name used was cifs/ECR._______.com. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (_________), and the client realm.
Please contact your system administrator.



-- End of Deckard's System Scanner: finished at 2008-08-12 09:49:58 ------------




Deckard's System Scanner v20071014.68
Run by _____ on 2008-08-12 09:23:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.98 GiB (less than 15%) free.


-- HijackThis (run as ______.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:23 AM, on 8/12/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\WatchGuard\wsm9.0\wfs\controld.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Retrospect\Retrospect Client\RemotSvc.exe
C:\Program Files\Retrospect\Retrospect Client\retroclient.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\WatchGuard\wsm9.0\wbserver\bin\wbserver.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\WINDOWS\system32\nfsclnt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mapsvc.exe
C:\WINDOWS\system32\nfssvc.exe
C:\WINDOWS\idmu\nis\nissvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Retrospect\Retrospect Client\pcpds.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Temp\av\dss.exe
C:\WINDOWS\system32\srmhost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JKNIXO~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://_____:8530/WSUSAdmin
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [hhctrl.ocx] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\hhctrl.ocx
O4 - HKLM\..\RunOnce: [Transman.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\Transman.dll
O4 - HKLM\..\RunOnce: [Topology Service] C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE /Service
O4 - HKLM\..\RunOnce: [Nscem.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscem.dll
O4 - HKLM\..\RunOnce: [Nscemps.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscemps.dll
O4 - HKLM\..\RunOnce: [Nsctopps.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nsctopps.dll
O4 - HKLM\..\RunOnce: [Comutil.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\comutil.dll
O4 - HKLM\..\RunOnce: [Lupage.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\lupage.dll
O4 - HKLM\..\RunOnce: [amssnap.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\amssnap.dll
O4 - HKLM\..\RunOnce: [Webshell.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\webshell.dll
O4 - HKLM\..\RunOnce: [Vprpts.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\vprpts.dll
O4 - HKLM\..\RunOnce: [Scandlgs.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\scandlgs.dll
O4 - HKLM\..\RunOnce: [LotntsUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LotntsUI.ocx
O4 - HKLM\..\RunOnce: [LDDatetm.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDDatetm.ocx
O4 - HKLM\..\RunOnce: [LDVPCtls.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPCtls.ocx
O4 - HKLM\..\RunOnce: [LDVPDlgs.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPDlgs.ocx
O4 - HKLM\..\RunOnce: [LDVPUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPUI.ocx
O4 - HKLM\..\RunOnce: [ExchngUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\ExchngUI.ocx
O4 - HKLM\..\RunOnce: [Navcorpx.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorpx.dll
O4 - HKLM\..\RunOnce: [Srvcon.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Srvcon.ocx
O4 - HKLM\..\RunOnce: [Navcorph.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorph.dll
O4 - HKLM\..\RunOnce: [Clntcon.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Clntcon.ocx
O4 - HKLM\..\RunOnce: [Scfsnap.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\scfsnap.dll
O4 - HKLM\..\RunOnce: [SAVSetup] cmd.exe /c "rmdir /s /q "C:\TEMP\Clt-Inst""
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mswmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mspmsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmps.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmlog.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\cewmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_7] regsvr32.exe /s C:\WINDOWS\system32\mspmsnsv.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\audiodev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmaspdtx.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmstream.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmnetmgr.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmidx.ocx"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_7] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_8] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_9] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\laprxy.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_12] "C:\WINDOWS\system32\logagent.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvcore.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_15] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mpg4dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_16] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_17] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_18] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\qasf.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_19] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadvd.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_20] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadve.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_22] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp43dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_23] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp4sdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_24] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmnet.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_25] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmdev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_ivf] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\ivfsrc.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmvax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_msscrnax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8ax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8ds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8dmo] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_0] C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_1] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_3] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmclien.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_4] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmstor.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_6] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmv2clt.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_7] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\blackbox.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_8] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpshell.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_9] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpasf.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_10] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpdxm.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_11] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpencen.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_12] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpsrcwp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\mpvis.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\wmpband.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_15] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\audiodev.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_19] "C:\Program Files\Windows Media Player\WMPEnc.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_20] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_21] "C:\Program Files\Windows Media Player\migrate.exe" /s
O4 - HKLM\..\RunOnce: [OE_WMPWPD_Install_2] C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\wpdsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmstor.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmclien.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmv2clt.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\blackbox.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msnetobj.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_7] C:\WINDOWS\system32\drmupgds.exe
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1572088406-1351228934-6498272-3439\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'gfi')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - ESC Trusted Zone: http://download1.eset.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1207595275437
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = _________
O17 - HKLM\Software\..\Telephony: DomainName = ____________
O17 - HKLM\System\CCS\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = __________
O17 - HKLM\System\CS1\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8
O23 - Service: Big Brother SNM Server 2.30 (BigBrotherServer) - Unknown owner - C:\Program Files\Quest Software\Big Brother BTF\BBNTD\2.30\bin\bbntd.exe

--
End of file - 15336 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.js - JSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*
.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 msnfsflt - c:\windows\system32\drivers\msnfsflt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)
S3 PsxDrv - c:\windows\system32\drivers\psxdrv.sys <Not Verified; Microsoft Corporation; Microsoft Windows Identity Management for UNIX>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Client For NFS - c:\windows\system32\nfsclnt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 controld_service (WatchGuard Log Collector - WSEP) - "c:\program files\watchguard\wsm9.0\wlserver\..\wfs\controld.exe
R2 EventsManager Processor Agent Service (GFI EventsManager) - c:\program files\gfi\eventsmanager 7\esmproc.exe
R2 Mapsvc (User Name Mapping) - c:\windows\system32\mapsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Nissvc (Server For NIS) - c:\windows\idmu\nis\nissvc.exe <Not Verified; Microsoft Corporation; Microsoft Windows Identity Management for UNIX>
R2 Retrospect Client - "c:\program files\retrospect\retrospect client\remotsvc.exe" <Not Verified; EMC; Retrospect>
R2 wbserver_service (WatchGuard WebBlocker Server) - c:\program files\watchguard\wsm9.0\wbserver\bin\wbserver.exe <Not Verified; WatchGuard Technologies, Inc.; Webblocker>
R2 wlserver_service (WatchGuard Log Collector - WSM) - "c:\program files\watchguard\wsm9.0\wlserver\..\apache\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 wmserver_service (WatchGuard Management Server) - "c:\program files\watchguard\wsm9.0\wmserver\..\apache\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R3 SrmReports (File Server Storage Reports Manager) - c:\windows\system32\srmhost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S2 BigBrotherServer (Big Brother SNM Server 2.30) - c:\program files\quest software\big brother btf\bbntd\2.30\bin\bbntd.exe <Not Verified; ; bbntd Module>
S3 Retrospect Helper - "c:\program files\retrospect\retrospect client\rthlpsvc.exe" <Not Verified; EMC Corporation; Retrospect>
S3 zzSUA (SUA Subsystem Startup) - c:\windows\psxrun.exe <Not Verified; Microsoft Corporation; Microsoft Windows Identity Management for UNIX>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-12 09:00:10 470 --a------ C:\WINDOWS\Tasks\ShadowCopyVolume{76afdc3a-07c5-11db-915c-0013723f0266}.job
2008-08-12 02:00:00 318 -----n--- C:\WINDOWS\Tasks\DailyStatsReport.job
2008-08-12 01:00:00 322 -----n--- C:\WINDOWS\Tasks\DailyStatsCollect.job
2008-08-11 12:00:00 326 -----n--- C:\WINDOWS\Tasks\Purge Firewall Logs.job


-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-07-31 12:46:40 0 d-------- C:\Program Files\Trend Micro
2008-07-23 17:51:01 0 d-------- C:\WINDOWS\LastGood
2008-07-23 17:50:09 237568 -----n--- C:\WINDOWS\einstaller.exe <Not Verified; ESET; ESET Remote Administrator>
2008-07-23 16:02:39 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-16 13:09:27 0 d-------- C:\Documents and Settings\_______\_rpcs


-- Find3M Report ---------------------------------------------------------------

2008-07-19 19:41:42 0 -----n--- C:\WINDOWS\RETCLIENT.DAT
2008-06-17 13:58:03 0 d-------- C:\Documents and Settings\_______\Application Data\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [06/10/2008 06:52 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/17/2007 07:03 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"hhctrl.ocx"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\hhctrl.ocx
"Transman.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\Transman.dll
"Topology Service"=C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE /Service
"Nscem.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscem.dll
"Nscemps.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscemps.dll
"Nsctopps.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nsctopps.dll
"Comutil.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\comutil.dll
"Lupage.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\lupage.dll
"amssnap.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\amssnap.dll
"Webshell.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\webshell.dll
"Vprpts.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\vprpts.dll
"Scandlgs.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\scandlgs.dll
"LotntsUI.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LotntsUI.ocx
"LDDatetm.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDDatetm.ocx
"LDVPCtls.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPCtls.ocx
"LDVPDlgs.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPDlgs.ocx
"LDVPUI.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPUI.ocx
"ExchngUI.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\ExchngUI.ocx
"Navcorpx.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorpx.dll
"Srvcon.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Srvcon.ocx
"Navcorph.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorph.dll
"Clntcon.ocx"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Clntcon.ocx
"Scfsnap.dll"=C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\scfsnap.dll
"SAVSetup"=cmd.exe /c "rmdir /s /q "C:\TEMP\Clt-Inst""
"OE_WMPWMDM_Install_1"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mswmdm.dll"
"OE_WMPWMDM_Install_2"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscp.dll"
"OE_WMPWMDM_Install_3"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mspmsp.dll"
"OE_WMPWMDM_Install_4"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmps.dll"
"OE_WMPWMDM_Install_5"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmlog.dll"
"OE_WMPWMDM_Install_6"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\cewmdm.dll"
"OE_WMPWMDM_Install_7"=regsvr32.exe /s C:\WINDOWS\system32\mspmsnsv.dll
"OE_WMPWMDM_Install_10"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\audiodev.dll"
"OE_WMPWMDM_Install_11"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmaspdtx.dll"
"OE_WMPWMFSDK_Install_1"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmstream.dll"
"OE_WMPWMFSDK_Install_2"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmnetmgr.dll"
"OE_WMPWMFSDK_Install_3"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmidx.ocx"
"OE_WMPWMFSDK_Install_4"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmod.dll"
"OE_WMPWMFSDK_Install_5"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmoe2.dll"
"OE_WMPWMFSDK_Install_6"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmoe.dll"
"OE_WMPWMFSDK_Install_7"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmod.dll"
"OE_WMPWMFSDK_Install_8"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
"OE_WMPWMFSDK_Install_9"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe.dll"
"OE_WMPWMFSDK_Install_10"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe2.dll"
"OE_WMPWMFSDK_Install_11"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\laprxy.dll"
"OE_WMPWMFSDK_Install_12"="C:\WINDOWS\system32\logagent.exe" /RegServer
"OE_WMPWMFSDK_Install_13"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvcore.dll"
"OE_WMPWMFSDK_Install_14"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmod.dll"
"OE_WMPWMFSDK_Install_15"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mpg4dmod.dll"
"OE_WMPWMFSDK_Install_16"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmod.dll"
"OE_WMPWMFSDK_Install_17"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
"OE_WMPWMFSDK_Install_18"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\qasf.dll"
"OE_WMPWMFSDK_Install_19"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadvd.dll"
"OE_WMPWMFSDK_Install_20"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadve.dll"
"OE_WMPWMFSDK_Install_22"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp43dmod.dll"
"OE_WMPWMFSDK_Install_23"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp4sdmod.dll"
"OE_WMPWMFSDK_Install_24"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmnet.dll"
"OE_WMPWMFSDK_Install_25"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmdev.dll"
"OE_WMPWMPCodec_ivf"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\ivfsrc.ax"
"OE_WMPWMPCodec_wmvax"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvds32.ax"
"OE_WMPWMPCodec_msscrnax"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscds32.ax"
"OE_WMPWMPCodec_wmv8ax"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8ds32.ax"
"OE_WMPWMPCodec_wmv8dmo"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8dmod.dll"
"OE_WMPWMP7_Install_0"=C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
"OE_WMPWMP7_Install_1"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmp.dll
"OE_WMPWMP7_Install_3"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmclien.dll
"OE_WMPWMP7_Install_4"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmstor.dll
"OE_WMPWMP7_Install_6"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmv2clt.dll
"OE_WMPWMP7_Install_7"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\blackbox.dll
"OE_WMPWMP7_Install_8"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpshell.dll
"OE_WMPWMP7_Install_9"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpasf.dll
"OE_WMPWMP7_Install_10"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpdxm.dll
"OE_WMPWMP7_Install_11"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpencen.dll
"OE_WMPWMP7_Install_12"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpsrcwp.dll
"OE_WMPWMP7_Install_13"=C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\mpvis.dll"
"OE_WMPWMP7_Install_14"=C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\wmpband.dll"
"OE_WMPWMP7_Install_15"=C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\audiodev.dll
"OE_WMPWMP7_Install_19"="C:\Program Files\Windows Media Player\WMPEnc.exe" /RegServer
"OE_WMPWMP7_Install_20"=C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
"OE_WMPWMP7_Install_21"="C:\Program Files\Windows Media Player\migrate.exe" /s
"OE_WMPWPD_Install_2"=C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\wpdsp.dll"
"OE_WMPDRM_Install_1"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmstor.dll"
"OE_WMPDRM_Install_2"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmclien.dll"
"OE_WMPDRM_Install_4"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmv2clt.dll"
"OE_WMPDRM_Install_5"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\blackbox.dll"
"OE_WMPDRM_Install_6"=C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msnetobj.dll"
"OE_WMPDRM_Install_7"=C:\WINDOWS\system32\drmupgds.exe
"NoIE4StubProcessing"=C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 10:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"HideStartupScripts"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"DisableLocalMachineRunOnce"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 02/17/2007 07:02 AM 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli pswdsync

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
srmsvcs SrmSvc
iissvcs w3svc
WDSServer WDSServer

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

*Newly Created Service* - EAMON
*Newly Created Service* - EASDRV
*Newly Created Service* - EKRN
*Newly Created Service* - EPFWTDIR
*Newly Created Service* - ERA_HTTP_SERVER
*Newly Created Service* - ERA_SERVER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser



-- Hosts -----------------------------------------------------------------------

10.0.0.9 intranet ______________


-- End of Deckard's System Scanner: finished at 2008-08-12 09:49:58 ------------



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 14, 2008
Operating System: Microsoft Windows Server 2003 R2, Standard Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 12, 2008 18:10:29
Records in database: 1086451
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 930851
Threat name: 28
Infected objects: 74
Suspicious objects: 11
Duration of the scan: 38:30:26


File name / Threat name / Threats count
E:\Departments\Sales\Crowleys Laptop\desktop\ALL\Email Archive\archive.pst Suspicious: not-a-virus:URL.IDFrame 1
E:\Departments\Sales\Crowleys Laptop\desktop\ALL\Email Archive\Outlook\Outlookseamail.________.com-00000003.pst Infected: Email-Worm.Win32.Tanatos.b 2
E:\Email Archives\connoly_d.pst Suspicious: Password-protected-EXE 1
E:\Email Archives\connoly_d.pst Infected: Trojan-Dropper.VBS.Inor.a 2
E:\Email Archives\connoly_d.pst Infected: Email-Worm.Win32.Sobig.f 1
E:\Email Archives\connoly_d.pst Infected: Email-Worm.Win32.Sobig.e 3
E:\Email Archives\connoly_d.pst Infected: Email-Worm.Win32.Tanatos.b 1
E:\Email Archives\decima_ann.pst Infected: Email-Worm.Win32.NetSky.q 22
E:\Email Archives\decima_ann.pst Infected: Email-Worm.Win32.LovGate.w 2
E:\Email Archives\decima_ann.pst Infected: Email-Worm.Win32.NetSky.b 2
E:\Email Archives\feeley_joe.pst Infected: Email-Worm.Win32.Mimail.txt 1
E:\Email Archives\feeley_joe.pst Infected: Email-Worm.Win32.Mimail.a 1
E:\Email Archives\feeley_joe.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1
E:\Email Archives\lowe_karen.pst Infected: Trojan-Proxy.Win32.Cidra.d 1
E:\Email Archives\lowe_karen.pst Infected: Trojan-Spy.HTML.UrlSpoof.b 1
E:\Email Archives\nelson_g.pst Infected: Email-Worm.Win32.Bagle.ai 1
E:\Email Archives\nelson_g.pst Infected: Email-Worm.Win32.Bagle.gen 1
E:\Email Archives\nelson_g.pst Infected: Email-Worm.Win32.Bagle.z 1
E:\Email Archives\nelson_g.pst Infected: Email-Worm.Win32.Bagle.i 2
E:\Email Archives\nelson_g.pst Infected: Email-Worm.Win32.NetSky.b 4
E:\Email Archives\nelson_g.pst Infected: Email-Worm.Win32.Sobig.b 1
E:\Email Archives\shi_lei.pst Infected: Email-Worm.Win32.NetSky.q 2
E:\Email Archives\shi_lei.pst Infected: Email-Worm.Win32.Bagle.p 3
E:\Email Archives\shi_lei.pst Infected: Email-Worm.Win32.Bagle.g 2
E:\Email Archives\shi_lei.pst Infected: Email-Worm.Win32.NetSky.b 1
E:\Email Archives\waltman_dan.pst Infected: Trojan-Spy.HTML.Paylap.ay 1
E:\Email Archives\waltman_dan.pst Infected: Trojan-Dropper.VBS.Zerolin 1
E:\Email Archives\waltman_dan.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
E:\Home\jzeer\BKupForXP\Users\jzeer\Mail\Outlook.sbd\Personal Folders.sbd\Inbox Infected: not-virus:BadJoke.Win16.Stupid.a 1
E:\Home\KOTA\.vbs Infected: Worm.VBS.Autorun.r 1
E:\Home\KOTA\autorun.inf Infected: Worm.VBS.Autorun.r 1
E:\Home\omartinez\Downloads\AGSetup0608.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
E:\Home\omartinez\outlook\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 3
E:\Home\Retired Users\abretsch\outlook\abretsch.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1
E:\Home\Retired Users\cdunagan\Outlook\archive.pst Infected: Email-Worm.Win32.Magistr.b 1
E:\Home\Retired Users\NORIKO\outlook\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1
E:\Temp\.vbs Infected: Worm.VBS.Autorun.r 1
E:\Temp\autorun.inf Infected: Worm.VBS.Autorun.r 1
G:\.vbs Infected: Worm.VBS.Autorun.r 1
G:\autorun.inf Infected: Worm.VBS.Autorun.r 1
I:\.vbs Infected: Worm.VBS.Autorun.r 1
I:\autorun.inf Infected: Worm.VBS.Autorun.r 1
J:\.vbs Infected: Worm.VBS.Autorun.r 1
J:\autorun.inf Infected: Worm.VBS.Autorun.r 1
K:\Sales\Crowleys Laptop\desktop\ALL\Email Archive\archive.pst Suspicious: not-a-virus:URL.IDFrame 1
K:\Sales\Crowleys Laptop\desktop\ALL\Email Archive\Outlook\Outlookseamail.________.com-00000003.pst Infected: Email-Worm.Win32.Tanatos.b 2

The selected area was scanned.

Edited by jnixon, 14 August 2008 - 11:11 AM.


#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:34 PM

Posted 15 August 2008 - 05:11 PM

Hello jnixon :thumbsup: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you from here on out and will need some time to look over your log. I will get back to you just as quick as possible.


I would ask that you refrain from running tools other than those we will suggest to you to while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 jnixon

jnixon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 15 August 2008 - 06:07 PM

Sounds good looking foward to cleaning this up.

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:34 PM

Posted 19 August 2008 - 05:16 PM

Hello again, :thumbsup:

Sorry for the delay.



Here's what I need you to do first:


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




After completion please post a new HJT log along with the report from MBAM



Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 jnixon

jnixon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 19 August 2008 - 07:17 PM

Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.2.3790 Service Pack 2

5:02:59 PM 8/19/2008
mbam-log-08-19-2008 (17-02-59).txt

Scan type: Quick Scan
Objects scanned: 51323
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:58 PM, on 8/19/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\WatchGuard\wsm9.0\wfs\controld.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Retrospect\Retrospect Client\RemotSvc.exe
C:\Program Files\Retrospect\Retrospect Client\retroclient.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\WatchGuard\wsm9.0\wbserver\bin\wbserver.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\WINDOWS\system32\nfsclnt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\wsm9.0\apache\bin\apache.exe
C:\WINDOWS\system32\mapsvc.exe
C:\WINDOWS\system32\nfssvc.exe
C:\WINDOWS\idmu\nis\nissvc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hestia:8530/WSUSAdmin
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [hhctrl.ocx] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\hhctrl.ocx
O4 - HKLM\..\RunOnce: [Transman.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\Transman.dll
O4 - HKLM\..\RunOnce: [Topology Service] C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE /Service
O4 - HKLM\..\RunOnce: [Nscem.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscem.dll
O4 - HKLM\..\RunOnce: [Nscemps.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nscemps.dll
O4 - HKLM\..\RunOnce: [Nsctopps.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\nsctopps.dll
O4 - HKLM\..\RunOnce: [Comutil.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\comutil.dll
O4 - HKLM\..\RunOnce: [Lupage.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\lupage.dll
O4 - HKLM\..\RunOnce: [amssnap.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\amssnap.dll
O4 - HKLM\..\RunOnce: [Webshell.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\webshell.dll
O4 - HKLM\..\RunOnce: [Vprpts.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\vprpts.dll
O4 - HKLM\..\RunOnce: [Scandlgs.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\scandlgs.dll
O4 - HKLM\..\RunOnce: [LotntsUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LotntsUI.ocx
O4 - HKLM\..\RunOnce: [LDDatetm.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDDatetm.ocx
O4 - HKLM\..\RunOnce: [LDVPCtls.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPCtls.ocx
O4 - HKLM\..\RunOnce: [LDVPDlgs.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPDlgs.ocx
O4 - HKLM\..\RunOnce: [LDVPUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPUI.ocx
O4 - HKLM\..\RunOnce: [ExchngUI.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\ExchngUI.ocx
O4 - HKLM\..\RunOnce: [Navcorpx.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorpx.dll
O4 - HKLM\..\RunOnce: [Srvcon.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Srvcon.ocx
O4 - HKLM\..\RunOnce: [Navcorph.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Navcorph.dll
O4 - HKLM\..\RunOnce: [Clntcon.ocx] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\Clntcon.ocx
O4 - HKLM\..\RunOnce: [Scfsnap.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\Symantec\SYMANT~1\scfsnap.dll
O4 - HKLM\..\RunOnce: [SAVSetup] cmd.exe /c "rmdir /s /q "C:\TEMP\Clt-Inst""
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mswmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mspmsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmps.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdmlog.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\cewmdm.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_7] regsvr32.exe /s C:\WINDOWS\system32\mspmsnsv.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\audiodev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMDM_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmaspdtx.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmstream.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmnetmgr.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_3] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmidx.ocx"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_7] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmadmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_8] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_9] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_10] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmoe2.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_11] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\laprxy.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_12] "C:\WINDOWS\system32\logagent.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvcore.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmsdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_15] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mpg4dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_16] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_17] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_18] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\qasf.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_19] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadvd.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_20] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvadve.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_22] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp43dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_23] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\mp4sdmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_24] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmnet.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_25] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmdrmdev.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_ivf] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\ivfsrc.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmvax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmvds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_msscrnax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msscds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8ax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8ds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8dmo] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_0] C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_1] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_3] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmclien.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_4] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmstor.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_6] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmv2clt.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_7] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\blackbox.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_8] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpshell.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_9] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpasf.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_10] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpdxm.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_11] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpencen.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_12] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpsrcwp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\mpvis.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\wmpband.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_15] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\audiodev.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_19] "C:\Program Files\Windows Media Player\WMPEnc.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_20] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_21] "C:\Program Files\Windows Media Player\migrate.exe" /s
O4 - HKLM\..\RunOnce: [OE_WMPWPD_Install_2] C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\wpdsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmstor.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmclien.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmv2clt.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\blackbox.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msnetobj.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_7] C:\WINDOWS\system32\drmupgds.exe
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1572088406-1351228934-6498272-3439\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'gfi')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O15 - ESC Trusted Zone: http://www.besttechie.net
O15 - ESC Trusted Zone: http://download1.eset.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1207595275437
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = _______.com
O17 - HKLM\Software\..\Telephony: DomainName = _________.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = _______.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8
O23 - Service: Big Brother SNM Server 2.30 (BigBrotherServer) - Unknown owner - C:\Program Files\Quest Software\Big Brother BTF\BBNTD\2.30\bin\bbntd.exe

--
End of file - 16034 bytes


Thanks for your Help!

Edited by jnixon, 20 August 2008 - 11:37 AM.


#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:34 PM

Posted 20 August 2008 - 07:04 PM

jnixon,


Could you tell me what kind of symptoms you are experiencing right now and I would also like to know where you found out you had the worms you listed when you first posted the topic. Was it from your anti-virus?


Thanks!
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 jnixon

jnixon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 21 August 2008 - 03:39 PM

Symptoms are that when the anti-virus scanner deletes these files they automatically re-appear. Using nod32 to detect these virus's

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:34 PM

Posted 22 August 2008 - 09:20 PM

Hello again jnixon:

Do you know what the folder I have in bold is?

2008-06-17 13:58:03 0 d-------- C:\Documents and Settings\_______\Application Data\Identities




The following entry corresponds to Administrative lock down for changing the options or homepage in Internet explorer. I am going to include it for fixing in the HJT part of this post. If you or an administrator set them and you do not wish it changed then do not put a check mark by it when you run the HJT part of the instructions.

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present





1.)


Please run this Flash_Disinfector tool by sUBs ...

Flash disinfector

Just download the exe file and double click on it to run it...then follow instructions

A box will pop up telling you to plug in your flash drive and click OK to start the disinfection ... by the way if you try to cross the box off with the X in the corner ... it will run anyway ... after a few seconds a box will pop up saying "done"




2.)

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).


O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_7] C:\WINDOWS\system32\drmupgds.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - ESC Trusted Zone: http://www.besttechie.net
O15 - ESC Trusted Zone: http://download1.eset.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = _______.com
O17 - HKLM\Software\..\Telephony: DomainName = _________.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = _______.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5074AC9A-0531-4A0E-8398-8DA9CD26AE02}: NameServer = 10.0.0.1,10.0.0.8




Then close all windows except HijackThis and click Fix Checked.



Use Windows Explorer to find and delete these file(s):

C:\WINDOWS\system32\drmupgds.exe

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


Restart computer




3.)

  • Click Start and then Run to bring up the Run box.
  • Copy and paste the contents of this quote box into the run box:

    "%userprofile%\desktop\dss.exe" /daft

  • Click OK.
  • Click OK to the prompt from Deckard's System Scanner.
  • Click Scan.
  • Place a tick next to the following entries (if they are present).
    .cpl .js .vbs
  • Click Fix



4.)


Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.







Please include log from HJT and the report from F-Secure in your next reply.



Thanks!
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:34 PM

Posted 27 August 2008 - 07:19 PM

Hello,


Need to know is you still need assistance or if you have resolved your problem.


Thanks, :thumbsup:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:34 PM

Posted 28 August 2008 - 06:18 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#14 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:34 PM

Posted 29 August 2008 - 07:27 PM

Topic re-opened at user request.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:34 PM

Posted 01 September 2008 - 07:57 AM

jnixon,


If you still require help I will need you to perform the actions I asked for in Post #11. If you are experiencing some kind of problem running them please let us know so that we can assist you. :thumbsup:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users