Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VIRTUMONDE REMOVAL


  • This topic is locked This topic is locked
42 replies to this topic

#1 sd123

sd123

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 13 February 2009 - 08:02 PM

I've followed the preparation as instructed.
Here are the DDS report/attachment:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 19:48:31.98 on Fri 02/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.581 [GMT -5:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RegClean\RegClean.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\windows\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [NvCplDaemon] "c:\windows\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
mRun: [WINDVDPatch] "c:\windows\system32\CTHELPER.EXE"
mRun: [Jet Detection] "c:\program files\creative\sbaudigy\program\ADGJDet.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RegClean] "c:\program files\regclean\RegClean.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\natura~1.lnk - c:\program files\sec\natural color\NaturalColorLoad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: {D7F490B1-9F5D-4f27-A44B-FE5556114FDD} - c:\program files\directus\directus\Appstart.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
Trusted Zone: ormc.org\dynamicpacs
Trusted Zone: slchospital.org\pacs
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: MIW Deployment - hxxps://pacs.slchospital.org/downloads/MIWDeploy.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178396154450
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178455309295
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: LMIinit - LMIinit.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-12-7 29808]
R1 mchInjDrv;madCodeHook DLL injection driver;c:\windows\system32\drivers\mchInjDrv.sys [2009-2-2 2560]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-4-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-5-15 47640]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2006-8-22 316992]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-12-7 3671408]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-2-9 1090936]
S0 antispywarebot;antispywarebot; [x]
S3 iscFlash;iscFlash; [x]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-5-21 280344]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-02-12 13:12 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-11 18:16 <DIR> --d----- c:\program files\directus
2009-02-11 17:49 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-11 17:47 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-11 17:47 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-11 17:47 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-11 17:47 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-11 17:47 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-11 17:47 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-11 17:47 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-11 17:47 <DIR> --d----- C:\8c3aa4f13d5f3e8e0520e9a343
2009-02-11 17:44 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-10 13:01 <DIR> --d----- C:\ComboFix
2009-02-10 13:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 21:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 21:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 20:58 <DIR> --d----- C:\Binaries
2009-02-09 20:57 1,553,272 a------- c:\windows\WRSetup.dll
2009-02-09 20:57 <DIR> --d----- c:\program files\Webroot
2009-02-09 20:57 <DIR> --d----- c:\docume~1\owner\applic~1\Webroot
2009-02-09 20:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-02-02 22:07 2,560 a------- c:\windows\system32\drivers\mchInjDrv.sys

==================== Find3M ====================

2009-02-09 20:45 164 a------- C:\install.dat
2009-01-29 18:46 1,635 a------- c:\docume~1\owner\applic~1\SAS7_000.DAT
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-04-20 18:02 20 a---h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2008-04-20 18:02 20 a---h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2008-10-27 22:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat
2008-10-28 09:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 19:48:52.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 22 February 2009 - 11:19 AM

Hi sd123,

Welcome to Bleeping Computer. m0le and I will be helping you with your log. :thumbup2:

We apologise for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

Please avoid changing anything on your computer (ie, downloading software) or taking unsupervised steps to remove any malware as this can make helping you much more difficult.

Please also try and reply regularly as long waits between instructions can make the fix much more difficult.

So give me some time to go through your log and, in the meantime, let me know if you have already solved the issues or no longer need my help.

Thanks.
Posted Image
m0le is a proud member of UNITE

#3 sd123

sd123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 22 February 2009 - 07:06 PM

Hello!

I still have virtumonde on my computer, quarantined by Spysweeper.
I have also acquired Mal/EncPk-GR on a routine sweep and it too is quarantined by spysweeper (Sophos).
Await your instructions.
Thank you for your valued time and effort!

sd123

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 23 February 2009 - 05:06 PM

Hi sd123,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

There are some things that require attention and I will go over these step by step. If you are unsure of anything I am saying then don't continue, just post a query and I will get you back on track.

Please avoid changing anything on your computer (ie, downloading software) or taking unsupervised steps to remove any malware as this can make helping you much more difficult.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.

Firstly, we need to remove all traces of antispywarebot and Regcleaner as these are both rogue programs.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

antispywarebot
RegClean


Additional instructions can be found here if needed.

Next,
Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Can you also let me know what kinds of problems you are having with the PC.

Thanks, :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 sd123

sd123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 23 February 2009 - 06:38 PM

Hi m0le!

My primary problems consist of failed booting with freeze ups and slow computing which was not the case until virtumonde
arrived. I'm also concerned about its reported capabilty to steal data.

I successfully removed RegClean but have been unable to remove Antispywarebot for approximately one year now and actually have 2 copies of it on the machine. Whenever I attempt to uninstall it, I receive the following error message:

FATAL ERROR OCCURRED REMOVING DRIVER:
UNINSTALLFILTERDRIVER.LOAD LIB
THE SPECIFIED MODULE COULD NOT BE FOUND

So, I have not yet run OTViewit pending the removal of Antispywarebot. Thanks.


sd123

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 23 February 2009 - 06:57 PM

Hi sd123,

Okay, that's no problem.

Can you run OTViewIt now and paste the logs.

Cheers. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 sd123

sd123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 23 February 2009 - 08:28 PM

m0le,
Here is the OTViewIt scan result:

OTViewIt logfile created on: 2/23/2009 8:20:59 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.30 Mb Total Physical Memory | 664.76 Mb Available Physical Memory | 64.96% Memory free
2.40 Gb Paging File | 2.11 Gb Available in Paging File | 87.96% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 56.01 Gb Free Space | 75.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GQ207MHA2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2009/01/20 09:07:50 | 01,090,936 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
[2002/02/07 19:01:24 | 00,040,960 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
[2005/02/16 16:15:20 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[2008/04/06 18:08:50 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
File not found -- C:\Program Files\RegClean\RegClean.exe
[2009/01/20 09:08:06 | 06,278,520 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
[2002/04/12 13:39:24 | 00,155,715 | ---- | M] () -- C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
[2006/10/16 15:10:22 | 00,118,784 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
[2007/04/03 15:18:08 | 01,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
[2008/10/16 19:35:26 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
[2001/08/30 23:56:00 | 00,057,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
[2008/12/07 21:25:50 | 03,671,408 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
[2008/12/07 21:25:50 | 00,181,616 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe
[2004/08/04 02:56:53 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
[2008/12/19 00:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/02/23 20:20:38 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007/04/03 15:18:08 | 01,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND [Auto | Running])
[2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/10/16 19:35:26 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint [Auto | Running])
[2007/04/17 13:03:52 | 00,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn [Disabled | Stopped])
[2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2001/08/30 23:56:00 | 00,057,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/05/05 11:07:53 | 00,045,056 | ---- | M] (LANovation) -- C:\WINDOWS\system32\PCTKRNT.SYS -- (PictureTaker [On_Demand | Stopped])
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe -- (SentinelKeysServer [Auto | Running])
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer [Auto | Running])
[2008/12/07 21:25:50 | 03,671,408 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
[2009/01/20 09:07:50 | 01,090,936 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService [Auto | Running])

========== Driver Services ==========

[2001/08/17 08:28:00 | 00,871,388 | ---- | M] (BCM) -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem [On_Demand | Running])
[2002/02/28 10:15:12 | 00,114,912 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTAC32K.SYS -- (ctac32k [On_Demand | Running])
[2002/02/28 10:16:44 | 00,834,100 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2002/02/28 10:16:58 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTPRXY2K.SYS -- (ctprxy2k [On_Demand | Running])
[2002/02/28 10:17:14 | 00,211,724 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k [On_Demand | Running])
[2007/01/18 13:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA [On_Demand | Stopped])
[2007/04/03 15:17:08 | 00,306,295 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA [Auto | Running])
[2007/01/23 23:23:16 | 00,127,376 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE [On_Demand | Running])
[2002/02/11 09:23:18 | 00,119,808 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2002/02/28 10:17:24 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\EMUPIA2K.SYS -- (emupia [On_Demand | Running])
[2002/02/28 10:18:06 | 00,991,672 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2004/08/04 01:58:34 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2008/06/28 14:10:27 | 00,012,856 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo [Auto | Running])
[2007/04/17 13:00:30 | 00,010,144 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\lmimirr.sys -- (lmimirr [On_Demand | Running])
[2008/10/16 19:35:58 | 00,083,288 | ---- | M] (LogMeIn, Inc.) -- C:\windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP [Disabled | Stopped])
[2008/07/24 17:46:08 | 00,047,640 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver [Auto | Running])
[2005/10/21 06:25:32 | 00,013,396 | ---- | M] () -- C:\WINDOWS\system32\drivers\MTiCtwl.sys -- (MagicTune [System | Running])
[2009/02/02 22:32:39 | 00,002,560 | ---- | M] () -- C:\WINDOWS\system32\drivers\mchInjDrv.sys -- (mchInjDrv [System | Running])
[2001/08/17 08:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2001/08/30 23:56:00 | 00,829,305 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv4 [On_Demand | Running])
[2004/08/04 01:03:35 | 00,088,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
[2001/08/30 05:30:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb [Auto | Running])
[2001/08/30 05:30:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
[2002/02/28 10:16:56 | 00,195,268 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[1999/12/17 00:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2001/08/30 05:30:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2006/12/21 06:30:02 | 00,090,688 | ---- | M] (SafeNet, Inc.) -- C:\WINDOWS\system32\drivers\sentinel.sys -- (Sentinel [Auto | Running])
[2006/12/21 06:30:02 | 00,033,504 | ---- | M] (SafeNet, Inc.) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (SNTNLUSB [On_Demand | Stopped])
[2008/12/07 21:26:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
[2008/12/07 21:26:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\sshrmd.sys -- (sshrmd [Boot | Running])
[2008/12/07 21:26:04 | 00,170,608 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssidrv.sys -- (ssidrv [Boot | Running])
[2004/08/04 02:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2005/01/26 07:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [On_Demand | Stopped])
[2001/08/30 05:30:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [Disabled | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"First Home Page"=http://go.microsoft.com/fwlink/?LinkId=54843
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.msn.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (77 bytes) - C:\windows\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
195.245.119.131 browser-security.microsoft.com

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup (InstallShield Software Corporation)
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" ()
"NvCplDaemon"="C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize (Microsoft Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"SpySweeper"="C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray (Webroot Software, Inc.)
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"WINDVDPatch"="C:\WINDOWS\system32\CTHELPER.EXE" (Creative Technology Ltd)

========== (O4) RunOnce Keys ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (Adobe Systems, Inc.)

========== (O4) Startup Folders ==========

[2007/04/03 15:18:14 | 01,537,064 | ---- | M] (Cisco Systems, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
[2007/05/05 11:07:57 | 00,569,344 | ---- | M] (LANovation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
[2002/04/12 13:39:24 | 00,155,715 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
[2006/10/16 15:10:22 | 00,118,784 | ---- | M] (Nikon Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoControlPanel"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoControlPanel"=0
"NoWindowsUpdate"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0
"DisableTaskMgr"=0

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [2007/09/25 00:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{D7F490B1-9F5D-4f27-A44B-FE5556114FDD}: Button: directus -- %ProgramFiles%\directus\directus\AppStart.exe [2007/08/13 18:42:56 | 00,020,480 | ---- | M] ( )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
ormc.org\dynamicpacs: https in My Computer
slchospital.org\pacs: http in My Computer
28 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: http://download.microsoft.com/download/F/D...heckControl.cab -- Windows Genuine Advantage Validation Tool
{406B5949-7190-4245-91A9-30A17DE16AD0}: http://www1.snapfish.com/SnapfishActivia.cab -- Snapfish Activia
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://update.microsoft.com/windowsupdate/...b?1178396154450 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://update.microsoft.com/microsoftupdat...b?1178455309295 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{9600F64D-755F-11D4-A47F-0001023E6D5A}: http://web1.shutterfly.com/downloads/Uploader.cab -- Shutterfly Picture Upload Plugin
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.
MIW Deployment: https://pacs.slchospital.org/downloads/MIWDeploy.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{0825CB16-D8E8-4DE4-B68F-94E9ED31EA9B} (Servers: | Description: )
{37FB1749-857F-4EAE-B723-E5F96CDBE256} (Servers: | Description: 1394 Net Adapter)
{5D9C6234-2240-4D8E-9BCF-64F8F5709040} (Servers: | Description: Intel® PRO/100 VE Network Connection)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
LMIinit: "DllName" = LMIinit.dll -- C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,OWS\S
>File not found --

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,wdigest,ecurity Packages settings...,==
>File not found --
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/05/05 10:39:06 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[230 C:\windows\System32\*.tmp files]
[5 C:\windows\*.tmp files]
[2009/02/23 20:20:36 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/02/19 19:27:51 | 00,016,896 | ---- | C] () -- C:\windows\syssvc.exe
[2009/02/13 19:12:48 | 00,368,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/02/12 13:12:04 | 00,000,690 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2009/02/12 13:12:01 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/02/11 18:16:24 | 00,002,435 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\directus.lnk
[2009/02/11 18:16:22 | 00,000,000 | ---D | C] -- C:\Program Files\directus
[2009/02/11 17:49:09 | 00,000,000 | ---D | C] -- C:\windows\System32\XPSViewer
[2009/02/11 17:49:01 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/02/11 17:48:46 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/02/11 17:47:33 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\prntvpt.dll
[2009/02/11 17:47:33 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\filterpipelineprintproc.dll
[2009/02/11 17:47:32 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xpssvcs.dll
[2009/02/11 17:47:32 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\xpssvcs.dll
[2009/02/11 17:47:32 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\printfilterpipelinesvc.exe
[2009/02/11 17:47:32 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xpsshhdr.dll
[2009/02/11 17:47:32 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\xpsshhdr.dll
[2009/02/11 17:47:31 | 00,000,000 | ---D | C] -- C:\8c3aa4f13d5f3e8e0520e9a343
[2009/02/11 17:46:29 | 00,000,000 | R-SD | C] -- C:\windows\assembly
[2009/02/11 17:45:46 | 00,000,000 | ---D | C] -- C:\windows\Microsoft.NET
[2009/02/11 17:44:22 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2009/02/10 14:24:43 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/10 13:01:43 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/02/10 13:01:42 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/10 13:01:37 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/02/10 12:50:53 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/02/09 21:07:09 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2009/02/09 21:07:07 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2009/02/09 20:58:40 | 00,511,328 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\capicom.dll
[2009/02/09 20:58:40 | 00,001,669 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus.lnk
[2009/02/09 20:58:24 | 00,000,000 | ---D | C] -- C:\Binaries
[2009/02/09 20:57:50 | 01,553,272 | ---- | C] (Webroot Software, Inc.) -- C:\windows\WRSetup.dll
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Program Files\Webroot
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Webroot
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2009/02/02 22:07:46 | 00,002,560 | ---- | C] () -- C:\windows\System32\drivers\mchInjDrv.sys

========== Files - Modified Within 30 Days ==========

[230 C:\windows\System32\*.tmp files]
[5 C:\windows\*.tmp files]
[2009/02/23 20:20:38 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/02/23 06:42:53 | 00,508,956 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2009/02/23 06:42:53 | 00,432,356 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2009/02/23 06:42:53 | 00,067,312 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2009/02/23 06:39:02 | 00,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2009/02/23 06:38:28 | 00,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2009/02/23 06:38:26 | 00,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2009/02/22 20:46:22 | 00,023,244 | ---- | M] () -- C:\windows\System32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/22 20:46:22 | 00,023,244 | ---- | M] () -- C:\windows\System32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/22 20:46:21 | 00,018,648 | ---- | M] () -- C:\windows\System32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/22 20:46:21 | 00,018,648 | ---- | M] () -- C:\windows\System32\BMXState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/22 20:46:21 | 00,001,080 | ---- | M] () -- C:\windows\System32\settingsbkup.sfm
[2009/02/22 20:46:21 | 00,001,080 | ---- | M] () -- C:\windows\System32\settings.sfm
[2009/02/22 20:46:21 | 00,000,024 | ---- | M] () -- C:\windows\System32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
[2009/02/22 20:46:21 | 00,000,024 | ---- | M] () -- C:\windows\System32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
[2009/02/22 19:08:16 | 00,000,142 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RAPC Home.url
[2009/02/22 18:41:24 | 00,000,047 | ---- | M] () -- C:\windows\webica.ini
[2009/02/22 15:24:21 | 04,323,492 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/02/20 03:30:00 | 00,000,386 | ---- | M] () -- C:\windows\tasks\RegClean Scheduled Scan.job
[2009/02/19 20:30:15 | 00,001,755 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\SAS7_000.DAT
[2009/02/19 19:27:51 | 00,016,896 | ---- | M] () -- C:\windows\syssvc.exe
[2009/02/19 18:47:31 | 00,000,077 | ---- | M] () -- C:\windows\System32\drivers\etc\HOSTS
[2009/02/18 22:29:07 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/02/14 18:56:52 | 00,000,172 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SLC PACS.url
[2009/02/14 13:39:21 | 00,012,005 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\TOWACO WEATHER.url
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\Owner\Desktop\TOWACO WEATHER.url:favicon
[2009/02/13 19:12:49 | 00,368,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/02/12 17:08:49 | 00,054,156 | -H-- | M] () -- C:\windows\QTFont.qfn
[2009/02/12 13:12:04 | 00,000,690 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2009/02/11 20:43:59 | 00,127,704 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2009/02/11 18:30:50 | 00,023,320 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/02/11 18:30:47 | 00,002,435 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\directus.lnk
[2009/02/11 18:30:35 | 00,001,142 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp
[2009/02/11 10:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2009/02/11 10:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2009/02/10 21:59:42 | 00,001,240 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Stock Trading and Investing.url
@Alternate Data Stream - 894 bytes -> C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Stock Trading and Investing.url:favicon
[2009/02/10 21:58:08 | 00,028,482 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MARKETWATCH.url
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\Owner\Desktop\MARKETWATCH.url:favicon
[2009/02/10 14:24:43 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/10 12:55:00 | 00,000,227 | ---- | M] () -- C:\windows\system.ini
[2009/02/09 20:58:40 | 00,001,669 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus.lnk
[2009/02/09 20:45:33 | 00,000,164 | ---- | M] () -- C:\install.dat
[2009/02/09 19:50:35 | 00,000,028 | ---- | M] () -- C:\windows\ODBC.INI
[2009/02/03 18:21:12 | 21,244,864 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\MRT.exe
[2009/02/02 22:32:39 | 00,002,560 | ---- | M] () -- C:\windows\System32\drivers\mchInjDrv.sys
< End of report >
Hrer is the Extra.txt:
OTViewIt Extras logfile created on: 2/23/2009 8:20:59 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.30 Mb Total Physical Memory | 664.76 Mb Available Physical Memory | 64.96% Memory free
2.40 Gb Paging File | 2.11 Gb Available in Paging File | 87.96% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 56.01 Gb Free Space | 75.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GQ207MHA2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DisableNotifications"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/07/25 12:02:08 | 02,769,920 | ---- | M] () -- C:\Program Files\Supplement Review Worksheet\SupplementWorksheet.exe:*:Enabled:SupplementWorksheet
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Disabled:Sentinel Protection Server
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe:*:Disabled:Sentinel Keys Server
[2004/08/04 02:56:54 | 00,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe:*:Enabled:NTVDM.EXE
[2007/03/02 15:01:40 | 08,503,296 | ---- | M] (ADS) -- C:\Program Files\ADS\MedicsPremier\ADS.exe:*:Enabled:ADS
[2007/02/09 11:25:40 | 03,084,288 | ---- | M] (DBS GmbH) -- C:\Program Files\ADS\Transcription\Transcription.exe:*:Enabled:Transcription
[2007/02/09 11:24:42 | 05,828,608 | ---- | M] (Patterson, Gray & Associates, Inc.) -- C:\Program Files\ADS\PhysicianDesktop\PhysicianDesktop.exe:*:Enabled:PhysicianDesktop
File not found -- C:\WINDOWS\svcho.exe:*:Enabled:enable

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] -- C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
msdaipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09D4F215-8960-4E0E-A2CC-C5A062113503}"=Crazy Machines
"{10B3936F-0E93-4431-8E7B-3FEA5DAC88C3}"=Garmin Communicator Plugin
"{12383085-49EA-4BC9-8CD3-4A18EFDF9F81}"=LogMeIn
"{1A028EBB-EDF5-4DC6-ABD3-362D9941CBAC}"=AntiSpywareBot
"{21A564C8-55AD-426D-96A2-04954620D6B6}"=Medics Premier
"{28C69E01-0147-402D-A105-E423B359AB93}"=Medics Transcription
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}"=MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}"=Spy Sweeper Core
"{40570EBE-8E9D-456B-957A-C984A74C5D18}"=AntiSpywareBot
"{48435D4A-BDAF-4AC3-B172-B25F1AADE6C6}"=Driver & Utility
"{4BEFDA67-40AA-4882-91D3-6430C3B6B87E}"=directus
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}"=VPN Client
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=EOS Capture 1.2
"{75C023EC-64A0-44F7-9D99-C6F6E21EB6F0}"=Do More
"{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1"=Webroot AntiVirus with AntiSpyware
"{8380AB60-F13A-11D1-BA13-0060080329EF}"=IOC ViewStation
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{90840409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Excel Viewer 2003
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}"=Sound Blaster Audigy
"{92948172-2857-44BA-B254-5E23AE251C86}"=MT4.0
"{94357968-F644-4413-8243-13EF93A220D4}"=Physician's Desktop
"{95120000-00AF-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint Viewer 2007 (English)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}"=Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}"=Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}"=WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}"=Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}"=Nikon Message Center
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}"=Dragon NaturallySpeaking 9
"{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon Camera WIA Driver
"{EDFE2142-CFB3-44AB-A961-DE85F6408A28}"=Sentinel Protection Installer 7.3.2
"{F51D9393-BB14-4566-99BF-D6ED63AEFCD7}"=Natural Color
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}"=PictureProject
"Arthur's Reading Race"=Arthur's Reading Race
"CANONBJ_Deinstall_CNMCP69.DLL"=Canon PIXMA iP6000D
"CCleaner"=CCleaner (remove only)
"Citrix ICA Web Client"=Citrix ICA Web Client
"Dr Neubrander's Appointments_is1"=My Appointments
"Dr. Neubrander's Established Patient Packet_is1"=Dr. Neubrander's Established Patient Packet
"Dr. Seuss™ Kindergarten"=Dr. Seuss™ Kindergarten
"Easy-PhotoPrint"=Canon Utilities Easy-PhotoPrint
"EPSON Photo!3 Ver.1.40"=EPSON Photo!3
"FG_1.0"=1st Grade v1.0
"Gateway IE Customizations"=Gateway IE Customizations
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=Canon Utilities EOS Capture 1.2
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"InstallShield_{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon EOS 20D WIA Driver
"IrfanView"=IrfanView (remove only)
"JumpStart Advanced 1st Grade"=JumpStart Advanced 1st Grade
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Math 1"=Math 1
"Math 2"=Math 2
"Math Missions Grades K-2"=Math Missions Grades K-2
"Microsoft .NET Framework 3.5 SP1"=Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"PictureProject In Touch Downloader"=PictureProject In Touch Downloader 1.0
"PROSet"=Intel® PRO Ethernet Adapter and Software
"PX: {34E29B52-7A91-4D77-A91F-1131E1697C16}"=DoMore
"Reader Rabbit Reading Ages 6-9"=Reader Rabbit Reading Ages 6-9
"ShockwaveFlash"=Macromedia Flash Player 8
"SpywareBlaster_is1"=SpywareBlaster 4.1
"Supplement Review Worksheet_is1"=Supplement Review WorkSheet Ver 1.47
"Thinkin' Science"=Edmark - Thinkin' Science
"Viewer97"=Microsoft Word Viewer 97
"WIC"=Windows Imaging Component

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/11/2009 7:48:12 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:15 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:16 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:20 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/14/2009 7:53:54 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2009 7:54:56 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application ADS.exe, version 1.1.0.18, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:06:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:07:48 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/23/2009 7:24:42 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/23/2009 7:24:37 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:37 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:37 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:37 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:42 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >


sd123

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 24 February 2009 - 02:49 PM

Thanks for the logs. We will next run Malwarebytes Anti-malware,
  • If you still have your version of MBAM then please use that
  • Make sure you update the program before running.
  • Please run a Full System Scan.
Please paste the results in your next reply.

Can I also have a new OTViewIt log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 sd123

sd123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 24 February 2009 - 08:44 PM

MBAM has never detected virtumonde on my machine. Spysweeper auto-quarantines multiple copies of it whenever I clean temporary files with Ccleaner.

Tonights MBAM logfile:
Malwarebytes' Anti-Malware 1.34
Database version: 1800
Windows 5.1.2600 Service Pack 2

2/24/2009 8:33:53 PM
mbam-log-2009-02-24 (20-33-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 110185
Time elapsed: 20 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***********************
OTViewIt logfile created on: 2/24/2009 8:39:12 PM - Run 2
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.30 Mb Total Physical Memory | 662.94 Mb Available Physical Memory | 64.78% Memory free
2.40 Gb Paging File | 2.10 Gb Available in Paging File | 87.26% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 56.01 Gb Free Space | 75.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GQ207MHA2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2009/01/20 09:07:50 | 01,090,936 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
[2002/02/07 19:01:24 | 00,040,960 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
[2005/02/16 16:15:20 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[2008/04/06 18:08:50 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
[2009/01/20 09:08:06 | 06,278,520 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
[2002/04/12 13:39:24 | 00,155,715 | ---- | M] () -- C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
[2006/10/16 15:10:22 | 00,118,784 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
[2007/04/03 15:18:08 | 01,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
[2008/10/16 19:35:26 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
[2001/08/30 23:56:00 | 00,057,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
[2008/12/07 21:25:50 | 03,671,408 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
[2008/12/07 21:25:50 | 00,181,616 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe
[2004/08/04 02:56:53 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
[2008/12/19 00:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/02/23 20:20:38 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007/04/03 15:18:08 | 01,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND [Auto | Running])
[2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/10/16 19:35:26 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint [Auto | Running])
[2007/04/17 13:03:52 | 00,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn [Disabled | Stopped])
[2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2001/08/30 23:56:00 | 00,057,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/05/05 11:07:53 | 00,045,056 | ---- | M] (LANovation) -- C:\WINDOWS\system32\PCTKRNT.SYS -- (PictureTaker [On_Demand | Stopped])
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe -- (SentinelKeysServer [Auto | Running])
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer [Auto | Running])
[2008/12/07 21:25:50 | 03,671,408 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
[2009/01/20 09:07:50 | 01,090,936 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService [Auto | Running])

========== Driver Services ==========

[2001/08/17 08:28:00 | 00,871,388 | ---- | M] (BCM) -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem [On_Demand | Running])
[2002/02/28 10:15:12 | 00,114,912 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTAC32K.SYS -- (ctac32k [On_Demand | Running])
[2002/02/28 10:16:44 | 00,834,100 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2002/02/28 10:16:58 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTPRXY2K.SYS -- (ctprxy2k [On_Demand | Running])
[2002/02/28 10:17:14 | 00,211,724 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k [On_Demand | Running])
[2007/01/18 13:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA [On_Demand | Stopped])
[2007/04/03 15:17:08 | 00,306,295 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA [Auto | Running])
[2007/01/23 23:23:16 | 00,127,376 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE [On_Demand | Running])
[2002/02/11 09:23:18 | 00,119,808 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2002/02/28 10:17:24 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\EMUPIA2K.SYS -- (emupia [On_Demand | Running])
[2002/02/28 10:18:06 | 00,991,672 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2004/08/04 01:58:34 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2008/06/28 14:10:27 | 00,012,856 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo [Auto | Running])
[2007/04/17 13:00:30 | 00,010,144 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\lmimirr.sys -- (lmimirr [On_Demand | Running])
[2008/10/16 19:35:58 | 00,083,288 | ---- | M] (LogMeIn, Inc.) -- C:\windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP [Disabled | Stopped])
[2008/07/24 17:46:08 | 00,047,640 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver [Auto | Running])
[2005/10/21 06:25:32 | 00,013,396 | ---- | M] () -- C:\WINDOWS\system32\drivers\MTiCtwl.sys -- (MagicTune [System | Running])
[2009/02/02 22:32:39 | 00,002,560 | ---- | M] () -- C:\WINDOWS\system32\drivers\mchInjDrv.sys -- (mchInjDrv [System | Running])
[2001/08/17 08:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2001/08/30 23:56:00 | 00,829,305 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv4 [On_Demand | Running])
[2004/08/04 01:03:35 | 00,088,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
[2001/08/30 05:30:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb [Auto | Running])
[2001/08/30 05:30:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
[2002/02/28 10:16:56 | 00,195,268 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[1999/12/17 00:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2001/08/30 05:30:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2006/12/21 06:30:02 | 00,090,688 | ---- | M] (SafeNet, Inc.) -- C:\WINDOWS\system32\drivers\sentinel.sys -- (Sentinel [Auto | Running])
[2006/12/21 06:30:02 | 00,033,504 | ---- | M] (SafeNet, Inc.) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (SNTNLUSB [On_Demand | Stopped])
[2008/12/07 21:26:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
[2008/12/07 21:26:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\sshrmd.sys -- (sshrmd [Boot | Running])
[2008/12/07 21:26:04 | 00,170,608 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssidrv.sys -- (ssidrv [Boot | Running])
[2004/08/04 02:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2005/01/26 07:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [On_Demand | Stopped])
[2001/08/30 05:30:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [Disabled | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"First Home Page"=http://go.microsoft.com/fwlink/?LinkId=54843
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.msn.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (77 bytes) - C:\windows\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
195.245.119.131 browser-security.microsoft.com

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup (InstallShield Software Corporation)
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" ()
"NvCplDaemon"="C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize (Microsoft Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"SpySweeper"="C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray (Webroot Software, Inc.)
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"WINDVDPatch"="C:\WINDOWS\system32\CTHELPER.EXE" (Creative Technology Ltd)

========== (O4) Startup Folders ==========

[2007/04/03 15:18:14 | 01,537,064 | ---- | M] (Cisco Systems, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
[2007/05/05 11:07:57 | 00,569,344 | ---- | M] (LANovation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
[2002/04/12 13:39:24 | 00,155,715 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
[2006/10/16 15:10:22 | 00,118,784 | ---- | M] (Nikon Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoControlPanel"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoControlPanel"=0
"NoWindowsUpdate"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0
"DisableTaskMgr"=0

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [2007/09/25 00:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{D7F490B1-9F5D-4f27-A44B-FE5556114FDD}: Button: directus -- %ProgramFiles%\directus\directus\AppStart.exe [2007/08/13 18:42:56 | 00,020,480 | ---- | M] ( )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
ormc.org\dynamicpacs: https in My Computer
slchospital.org\pacs: http in My Computer
28 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: http://download.microsoft.com/download/F/D...heckControl.cab -- Windows Genuine Advantage Validation Tool
{406B5949-7190-4245-91A9-30A17DE16AD0}: http://www1.snapfish.com/SnapfishActivia.cab -- Snapfish Activia
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://update.microsoft.com/windowsupdate/...b?1178396154450 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://update.microsoft.com/microsoftupdat...b?1178455309295 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{9600F64D-755F-11D4-A47F-0001023E6D5A}: http://web1.shutterfly.com/downloads/Uploader.cab -- Shutterfly Picture Upload Plugin
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.
MIW Deployment: https://pacs.slchospital.org/downloads/MIWDeploy.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{0825CB16-D8E8-4DE4-B68F-94E9ED31EA9B} (Servers: | Description: )
{37FB1749-857F-4EAE-B723-E5F96CDBE256} (Servers: | Description: 1394 Net Adapter)
{5D9C6234-2240-4D8E-9BCF-64F8F5709040} (Servers: | Description: Intel® PRO/100 VE Network Connection)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
LMIinit: "DllName" = LMIinit.dll -- C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,OWS\S
>File not found --

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,wdigest,ecurity Packages settings...,==
>File not found --
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/05/05 10:39:06 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[230 C:\windows\System32\*.tmp files]
[5 C:\windows\*.tmp files]
[2009/02/24 13:01:04 | 00,247,808 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\QUESTIONNAIRE, CNC Autism Intake Questionnaire, Version 3.doc
[2009/02/24 12:58:20 | 00,344,808 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CNC Questionere.eml
[2009/02/23 20:20:36 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/02/19 19:27:51 | 00,016,896 | ---- | C] () -- C:\windows\syssvc.exe
[2009/02/13 19:12:48 | 00,368,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/02/12 13:12:04 | 00,000,690 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2009/02/12 13:12:01 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/02/11 18:16:24 | 00,002,435 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\directus.lnk
[2009/02/11 18:16:22 | 00,000,000 | ---D | C] -- C:\Program Files\directus
[2009/02/11 17:49:09 | 00,000,000 | ---D | C] -- C:\windows\System32\XPSViewer
[2009/02/11 17:49:01 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/02/11 17:48:46 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/02/11 17:47:33 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\prntvpt.dll
[2009/02/11 17:47:33 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\filterpipelineprintproc.dll
[2009/02/11 17:47:32 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xpssvcs.dll
[2009/02/11 17:47:32 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\xpssvcs.dll
[2009/02/11 17:47:32 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\printfilterpipelinesvc.exe
[2009/02/11 17:47:32 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xpsshhdr.dll
[2009/02/11 17:47:32 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\xpsshhdr.dll
[2009/02/11 17:47:31 | 00,000,000 | ---D | C] -- C:\8c3aa4f13d5f3e8e0520e9a343
[2009/02/11 17:46:29 | 00,000,000 | R-SD | C] -- C:\windows\assembly
[2009/02/11 17:45:46 | 00,000,000 | ---D | C] -- C:\windows\Microsoft.NET
[2009/02/11 17:44:22 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2009/02/10 14:24:43 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/10 13:01:43 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/02/10 13:01:42 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/10 13:01:37 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/02/10 12:50:53 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/02/09 21:07:09 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2009/02/09 21:07:07 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2009/02/09 20:58:40 | 00,511,328 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\capicom.dll
[2009/02/09 20:58:40 | 00,001,669 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus.lnk
[2009/02/09 20:58:24 | 00,000,000 | ---D | C] -- C:\Binaries
[2009/02/09 20:57:50 | 01,553,272 | ---- | C] (Webroot Software, Inc.) -- C:\windows\WRSetup.dll
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Program Files\Webroot
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Webroot
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2009/02/02 22:07:46 | 00,002,560 | ---- | C] () -- C:\windows\System32\drivers\mchInjDrv.sys

========== Files - Modified Within 30 Days ==========

[230 C:\windows\System32\*.tmp files]
[5 C:\windows\*.tmp files]
[2009/02/24 13:01:04 | 00,247,808 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\QUESTIONNAIRE, CNC Autism Intake Questionnaire, Version 3.doc
[2009/02/24 12:58:20 | 00,344,808 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\CNC Questionere.eml
[2009/02/24 07:54:28 | 00,508,956 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2009/02/24 07:54:28 | 00,432,356 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2009/02/24 07:54:28 | 00,067,312 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2009/02/24 07:50:36 | 00,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2009/02/24 07:50:05 | 00,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2009/02/24 07:50:02 | 00,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2009/02/23 22:12:03 | 00,023,244 | ---- | M] () -- C:\windows\System32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/23 22:12:03 | 00,023,244 | ---- | M] () -- C:\windows\System32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/23 22:12:03 | 00,018,648 | ---- | M] () -- C:\windows\System32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/23 22:12:03 | 00,018,648 | ---- | M] () -- C:\windows\System32\BMXState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/23 22:12:03 | 00,001,080 | ---- | M] () -- C:\windows\System32\settingsbkup.sfm
[2009/02/23 22:12:03 | 00,001,080 | ---- | M] () -- C:\windows\System32\settings.sfm
[2009/02/23 22:12:03 | 00,000,024 | ---- | M] () -- C:\windows\System32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
[2009/02/23 22:12:03 | 00,000,024 | ---- | M] () -- C:\windows\System32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
[2009/02/23 22:09:49 | 00,000,142 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RAPC Home.url
[2009/02/23 22:09:02 | 00,000,047 | ---- | M] () -- C:\windows\webica.ini
[2009/02/23 20:20:38 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/02/22 15:24:21 | 04,323,492 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/02/20 03:30:00 | 00,000,386 | ---- | M] () -- C:\windows\tasks\RegClean Scheduled Scan.job
[2009/02/19 20:30:15 | 00,001,755 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\SAS7_000.DAT
[2009/02/19 19:27:51 | 00,016,896 | ---- | M] () -- C:\windows\syssvc.exe
[2009/02/19 18:47:31 | 00,000,077 | ---- | M] () -- C:\windows\System32\drivers\etc\HOSTS
[2009/02/18 22:29:07 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/02/14 18:56:52 | 00,000,172 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SLC PACS.url
[2009/02/14 13:39:21 | 00,012,005 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\TOWACO WEATHER.url
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\Owner\Desktop\TOWACO WEATHER.url:favicon
[2009/02/13 19:12:49 | 00,368,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/02/12 17:08:49 | 00,054,156 | -H-- | M] () -- C:\windows\QTFont.qfn
[2009/02/12 13:12:04 | 00,000,690 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2009/02/11 20:43:59 | 00,127,704 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2009/02/11 18:30:50 | 00,023,320 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/02/11 18:30:47 | 00,002,435 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\directus.lnk
[2009/02/11 18:30:35 | 00,001,142 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp
[2009/02/11 10:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2009/02/11 10:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2009/02/10 21:59:42 | 00,001,240 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Stock Trading and Investing.url
@Alternate Data Stream - 894 bytes -> C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Stock Trading and Investing.url:favicon
[2009/02/10 21:58:08 | 00,028,482 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MARKETWATCH.url
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\Owner\Desktop\MARKETWATCH.url:favicon
[2009/02/10 14:24:43 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/10 12:55:00 | 00,000,227 | ---- | M] () -- C:\windows\system.ini
[2009/02/09 20:58:40 | 00,001,669 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus.lnk
[2009/02/09 20:45:33 | 00,000,164 | ---- | M] () -- C:\install.dat
[2009/02/09 19:50:35 | 00,000,028 | ---- | M] () -- C:\windows\ODBC.INI
[2009/02/03 18:21:12 | 21,244,864 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\MRT.exe
[2009/02/02 22:32:39 | 00,002,560 | ---- | M] () -- C:\windows\System32\drivers\mchInjDrv.sys
< End of report >
*******************
OTViewIt Extras logfile created on: 2/24/2009 8:39:12 PM - Run 2
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.30 Mb Total Physical Memory | 662.94 Mb Available Physical Memory | 64.78% Memory free
2.40 Gb Paging File | 2.10 Gb Available in Paging File | 87.26% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 56.01 Gb Free Space | 75.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GQ207MHA2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DisableNotifications"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/07/25 12:02:08 | 02,769,920 | ---- | M] () -- C:\Program Files\Supplement Review Worksheet\SupplementWorksheet.exe:*:Enabled:SupplementWorksheet
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Disabled:Sentinel Protection Server
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe:*:Disabled:Sentinel Keys Server
[2004/08/04 02:56:54 | 00,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe:*:Enabled:NTVDM.EXE
[2007/03/02 15:01:40 | 08,503,296 | ---- | M] (ADS) -- C:\Program Files\ADS\MedicsPremier\ADS.exe:*:Enabled:ADS
[2007/02/09 11:25:40 | 03,084,288 | ---- | M] (DBS GmbH) -- C:\Program Files\ADS\Transcription\Transcription.exe:*:Enabled:Transcription
[2007/02/09 11:24:42 | 05,828,608 | ---- | M] (Patterson, Gray & Associates, Inc.) -- C:\Program Files\ADS\PhysicianDesktop\PhysicianDesktop.exe:*:Enabled:PhysicianDesktop
File not found -- C:\WINDOWS\svcho.exe:*:Enabled:enable

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] -- C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
msdaipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09D4F215-8960-4E0E-A2CC-C5A062113503}"=Crazy Machines
"{10B3936F-0E93-4431-8E7B-3FEA5DAC88C3}"=Garmin Communicator Plugin
"{12383085-49EA-4BC9-8CD3-4A18EFDF9F81}"=LogMeIn
"{1A028EBB-EDF5-4DC6-ABD3-362D9941CBAC}"=AntiSpywareBot
"{21A564C8-55AD-426D-96A2-04954620D6B6}"=Medics Premier
"{28C69E01-0147-402D-A105-E423B359AB93}"=Medics Transcription
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}"=MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}"=Spy Sweeper Core
"{40570EBE-8E9D-456B-957A-C984A74C5D18}"=AntiSpywareBot
"{48435D4A-BDAF-4AC3-B172-B25F1AADE6C6}"=Driver & Utility
"{4BEFDA67-40AA-4882-91D3-6430C3B6B87E}"=directus
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}"=VPN Client
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=EOS Capture 1.2
"{75C023EC-64A0-44F7-9D99-C6F6E21EB6F0}"=Do More
"{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1"=Webroot AntiVirus with AntiSpyware
"{8380AB60-F13A-11D1-BA13-0060080329EF}"=IOC ViewStation
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{90840409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Excel Viewer 2003
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}"=Sound Blaster Audigy
"{92948172-2857-44BA-B254-5E23AE251C86}"=MT4.0
"{94357968-F644-4413-8243-13EF93A220D4}"=Physician's Desktop
"{95120000-00AF-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint Viewer 2007 (English)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}"=Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}"=Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}"=WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}"=Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}"=Nikon Message Center
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}"=Dragon NaturallySpeaking 9
"{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon Camera WIA Driver
"{EDFE2142-CFB3-44AB-A961-DE85F6408A28}"=Sentinel Protection Installer 7.3.2
"{F51D9393-BB14-4566-99BF-D6ED63AEFCD7}"=Natural Color
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}"=PictureProject
"Arthur's Reading Race"=Arthur's Reading Race
"CANONBJ_Deinstall_CNMCP69.DLL"=Canon PIXMA iP6000D
"CCleaner"=CCleaner (remove only)
"Citrix ICA Web Client"=Citrix ICA Web Client
"Dr Neubrander's Appointments_is1"=My Appointments
"Dr. Neubrander's Established Patient Packet_is1"=Dr. Neubrander's Established Patient Packet
"Dr. Seuss™ Kindergarten"=Dr. Seuss™ Kindergarten
"Easy-PhotoPrint"=Canon Utilities Easy-PhotoPrint
"EPSON Photo!3 Ver.1.40"=EPSON Photo!3
"FG_1.0"=1st Grade v1.0
"Gateway IE Customizations"=Gateway IE Customizations
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=Canon Utilities EOS Capture 1.2
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"InstallShield_{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon EOS 20D WIA Driver
"IrfanView"=IrfanView (remove only)
"JumpStart Advanced 1st Grade"=JumpStart Advanced 1st Grade
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Math 1"=Math 1
"Math 2"=Math 2
"Math Missions Grades K-2"=Math Missions Grades K-2
"Microsoft .NET Framework 3.5 SP1"=Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"PictureProject In Touch Downloader"=PictureProject In Touch Downloader 1.0
"PROSet"=Intel® PRO Ethernet Adapter and Software
"PX: {34E29B52-7A91-4D77-A91F-1131E1697C16}"=DoMore
"Reader Rabbit Reading Ages 6-9"=Reader Rabbit Reading Ages 6-9
"ShockwaveFlash"=Macromedia Flash Player 8
"SpywareBlaster_is1"=SpywareBlaster 4.1
"Supplement Review Worksheet_is1"=Supplement Review WorkSheet Ver 1.47
"Thinkin' Science"=Edmark - Thinkin' Science
"Viewer97"=Microsoft Word Viewer 97
"WIC"=Windows Imaging Component

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/11/2009 7:48:12 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:15 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:16 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:20 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/14/2009 7:53:54 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2009 7:54:56 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application ADS.exe, version 1.1.0.18, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:06:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:07:48 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/23/2009 7:24:42 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:42 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/24/2009 8:51:45 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/24/2009 8:51:45 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot

Error - 2/24/2009 8:01:23 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for Start with the following error:
%%5

Error - 2/24/2009 9:01:47 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for Start with the following error:
%%5


< End of report >
Thank you, m0le

sd123

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 26 February 2009 - 02:33 PM

Hi sd123,

Thanks for the log.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\windows\syssvc.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Next we need to do is backup your registry as we will be making changes there.
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click (or if your PC is running Vista, right-click and select Run As Adminstrator) the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "1A028EBB-EDF5-4DC6-ABD3-362D9941CBAC"=-
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please also post a new DDS log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 sd123

sd123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 26 February 2009 - 08:23 PM

Hi m0le!

Migod. Glad we're doing this:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: syssvc.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: af8f35a509b5aa1a06566af65decec7e
Packers detected: -

Scanner results
Scan taken on 26 Feb 2009 23:27:48 (GMT)
A-Squared Found Trojan.Win32.Tibs!IK
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found Trojan.Generic.1444475
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.FraudLoad.vktw
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.FraudLoad.vktw
NOD32 Found nothing
Norman Virus Control Found W32/Smalltroj.LTGP
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Heur.Malware-Cryptor.MTA.10

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: EagleR.dll (MD5: eb786a6d7b035bf00bd9c23f49d69408, size: 460288 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Generic11.GZ
BitDefender Trojan.Generic.575960
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Trojan.Win32.Delf.dcw


You are free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Privacy policy



Page generated by JTPL

2004-2009 Jotti <jotti@jotti.org>

OTMoveIt3 Results:

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\1A028EBB-EDF5-4DC6-ABD3-362D9941CBAC not found.

******************
OTViewIt logfile created on: 2/26/2009 8:19:58 PM - Run 3
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.30 Mb Total Physical Memory | 698.63 Mb Available Physical Memory | 68.27% Memory free
2.40 Gb Paging File | 2.12 Gb Available in Paging File | 88.22% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 55.90 Gb Free Space | 75.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GQ207MHA2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2009/01/20 09:07:50 | 01,090,936 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
[2002/02/07 19:01:24 | 00,040,960 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
[2005/02/16 16:15:20 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[2008/04/06 18:08:50 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
[2009/01/20 09:08:06 | 06,278,520 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
[2002/04/12 13:39:24 | 00,155,715 | ---- | M] () -- C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
[2006/10/16 15:10:22 | 00,118,784 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
[2007/04/03 15:18:08 | 01,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
[2008/10/16 19:35:26 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
[2001/08/30 23:56:00 | 00,057,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
[2008/12/07 21:25:50 | 03,671,408 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
[2008/12/07 21:25:50 | 00,181,616 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe
[2008/12/19 00:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/02/26 20:14:38 | 00,348,160 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTMoveIt3.exe
[2009/02/23 20:20:38 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007/04/03 15:18:08 | 01,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND [Auto | Running])
[2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/10/16 19:35:26 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint [Auto | Running])
[2007/04/17 13:03:52 | 00,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn [Disabled | Stopped])
[2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2001/08/30 23:56:00 | 00,057,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/05/05 11:07:53 | 00,045,056 | ---- | M] (LANovation) -- C:\WINDOWS\system32\PCTKRNT.SYS -- (PictureTaker [On_Demand | Stopped])
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe -- (SentinelKeysServer [Auto | Running])
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer [Auto | Running])
[2008/12/07 21:25:50 | 03,671,408 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
[2009/01/20 09:07:50 | 01,090,936 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService [Auto | Running])

========== Driver Services ==========

[2001/08/17 08:28:00 | 00,871,388 | ---- | M] (BCM) -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem [On_Demand | Running])
[2002/02/28 10:15:12 | 00,114,912 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTAC32K.SYS -- (ctac32k [On_Demand | Running])
[2002/02/28 10:16:44 | 00,834,100 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2002/02/28 10:16:58 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTPRXY2K.SYS -- (ctprxy2k [On_Demand | Running])
[2002/02/28 10:17:14 | 00,211,724 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k [On_Demand | Running])
[2007/01/18 13:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA [On_Demand | Stopped])
[2007/04/03 15:17:08 | 00,306,295 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA [Auto | Running])
[2007/01/23 23:23:16 | 00,127,376 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE [On_Demand | Running])
[2002/02/11 09:23:18 | 00,119,808 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2002/02/28 10:17:24 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\EMUPIA2K.SYS -- (emupia [On_Demand | Running])
[2002/02/28 10:18:06 | 00,991,672 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2004/08/04 01:58:34 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2008/06/28 14:10:27 | 00,012,856 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo [Auto | Running])
[2007/04/17 13:00:30 | 00,010,144 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\lmimirr.sys -- (lmimirr [On_Demand | Running])
[2008/10/16 19:35:58 | 00,083,288 | ---- | M] (LogMeIn, Inc.) -- C:\windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP [Disabled | Stopped])
[2008/07/24 17:46:08 | 00,047,640 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver [Auto | Running])
[2005/10/21 06:25:32 | 00,013,396 | ---- | M] () -- C:\WINDOWS\system32\drivers\MTiCtwl.sys -- (MagicTune [System | Running])
[2009/02/02 22:32:39 | 00,002,560 | ---- | M] () -- C:\WINDOWS\system32\drivers\mchInjDrv.sys -- (mchInjDrv [System | Running])
[2001/08/17 08:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2001/08/30 23:56:00 | 00,829,305 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv4 [On_Demand | Running])
[2004/08/04 01:03:35 | 00,088,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
[2001/08/30 05:30:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb [Auto | Running])
[2001/08/30 05:30:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
[2002/02/28 10:16:56 | 00,195,268 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[1999/12/17 00:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2001/08/30 05:30:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2006/12/21 06:30:02 | 00,090,688 | ---- | M] (SafeNet, Inc.) -- C:\WINDOWS\system32\drivers\sentinel.sys -- (Sentinel [Auto | Running])
[2006/12/21 06:30:02 | 00,033,504 | ---- | M] (SafeNet, Inc.) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (SNTNLUSB [On_Demand | Stopped])
[2008/12/07 21:26:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
[2008/12/07 21:26:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\sshrmd.sys -- (sshrmd [Boot | Running])
[2008/12/07 21:26:04 | 00,170,608 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssidrv.sys -- (ssidrv [Boot | Running])
[2004/08/04 02:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2005/01/26 07:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [On_Demand | Stopped])
[2001/08/30 05:30:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [Disabled | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"First Home Page"=http://go.microsoft.com/fwlink/?LinkId=54843
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.msn.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (77 bytes) - C:\windows\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
195.245.119.131 browser-security.microsoft.com

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup (InstallShield Software Corporation)
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" ()
"NvCplDaemon"="C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize (Microsoft Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"SpySweeper"="C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray (Webroot Software, Inc.)
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"WINDVDPatch"="C:\WINDOWS\system32\CTHELPER.EXE" (Creative Technology Ltd)

========== (O4) Startup Folders ==========

[2007/04/03 15:18:14 | 01,537,064 | ---- | M] (Cisco Systems, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
[2007/05/05 11:07:57 | 00,569,344 | ---- | M] (LANovation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
[2002/04/12 13:39:24 | 00,155,715 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
[2006/10/16 15:10:22 | 00,118,784 | ---- | M] (Nikon Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoControlPanel"=0
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoControlPanel"=0
"NoWindowsUpdate"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0
"DisableTaskMgr"=0

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [2007/09/25 00:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{D7F490B1-9F5D-4f27-A44B-FE5556114FDD}: Button: directus -- %ProgramFiles%\directus\directus\AppStart.exe [2007/08/13 18:42:56 | 00,020,480 | ---- | M] ( )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
ormc.org\dynamicpacs: https in My Computer
slchospital.org\pacs: http in My Computer
28 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: http://download.microsoft.com/download/F/D...heckControl.cab -- Windows Genuine Advantage Validation Tool
{406B5949-7190-4245-91A9-30A17DE16AD0}: http://www1.snapfish.com/SnapfishActivia.cab -- Snapfish Activia
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://update.microsoft.com/windowsupdate/...b?1178396154450 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://update.microsoft.com/microsoftupdat...b?1178455309295 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{9600F64D-755F-11D4-A47F-0001023E6D5A}: http://web1.shutterfly.com/downloads/Uploader.cab -- Shutterfly Picture Upload Plugin
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.
MIW Deployment: https://pacs.slchospital.org/downloads/MIWDeploy.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{0825CB16-D8E8-4DE4-B68F-94E9ED31EA9B} (Servers: | Description: )
{37FB1749-857F-4EAE-B723-E5F96CDBE256} (Servers: | Description: 1394 Net Adapter)
{5D9C6234-2240-4D8E-9BCF-64F8F5709040} (Servers: | Description: Intel® PRO/100 VE Network Connection)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
LMIinit: "DllName" = LMIinit.dll -- C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,wdigest,ecurity Packages settings...,gs
>File not found --
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/05/05 10:39:06 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[230 C:\windows\System32\*.tmp files]
[5 C:\windows\*.tmp files]
[2009/02/26 20:16:21 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2009/02/26 20:14:37 | 00,348,160 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTMoveIt3.exe
[2009/02/26 20:05:07 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2009/02/26 20:05:07 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2009/02/26 20:05:04 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/02/25 22:21:34 | 00,001,374 | ---- | C] () -- C:\windows\imsins.BAK
[2009/02/25 12:24:25 | 01,089,601 | ---- | C] () -- C:\windows\System32\dllcache\ntprint.cat
[2009/02/24 13:01:04 | 00,247,808 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\QUESTIONNAIRE, CNC Autism Intake Questionnaire, Version 3.doc
[2009/02/24 12:58:20 | 00,344,808 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CNC Questionere.eml
[2009/02/23 20:20:36 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/02/19 19:27:51 | 00,016,896 | ---- | C] () -- C:\windows\syssvc.exe
[2009/02/12 13:12:04 | 00,000,690 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2009/02/12 13:12:01 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/02/11 18:16:24 | 00,002,435 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\directus.lnk
[2009/02/11 18:16:22 | 00,000,000 | ---D | C] -- C:\Program Files\directus
[2009/02/11 17:49:09 | 00,000,000 | ---D | C] -- C:\windows\System32\XPSViewer
[2009/02/11 17:49:01 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/02/11 17:48:46 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/02/11 17:47:33 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\prntvpt.dll
[2009/02/11 17:47:33 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\filterpipelineprintproc.dll
[2009/02/11 17:47:32 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xpssvcs.dll
[2009/02/11 17:47:32 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\xpssvcs.dll
[2009/02/11 17:47:32 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\printfilterpipelinesvc.exe
[2009/02/11 17:47:32 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\xpsshhdr.dll
[2009/02/11 17:47:32 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\xpsshhdr.dll
[2009/02/11 17:47:31 | 00,000,000 | ---D | C] -- C:\8c3aa4f13d5f3e8e0520e9a343
[2009/02/11 17:46:29 | 00,000,000 | R-SD | C] -- C:\windows\assembly
[2009/02/11 17:45:46 | 00,000,000 | ---D | C] -- C:\windows\Microsoft.NET
[2009/02/11 17:44:22 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2009/02/10 14:24:43 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/10 13:01:43 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/02/10 13:01:42 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/10 13:01:37 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/02/10 12:50:53 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/02/09 21:07:09 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2009/02/09 21:07:07 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2009/02/09 20:58:40 | 00,511,328 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\capicom.dll
[2009/02/09 20:58:40 | 00,001,669 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus.lnk
[2009/02/09 20:58:24 | 00,000,000 | ---D | C] -- C:\Binaries
[2009/02/09 20:57:50 | 01,553,272 | ---- | C] (Webroot Software, Inc.) -- C:\windows\WRSetup.dll
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Program Files\Webroot
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Webroot
[2009/02/09 20:57:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2009/02/02 22:07:46 | 00,002,560 | ---- | C] () -- C:\windows\System32\drivers\mchInjDrv.sys

========== Files - Modified Within 30 Days ==========

[230 C:\windows\System32\*.tmp files]
[5 C:\windows\*.tmp files]
[2009/02/26 20:14:38 | 00,348,160 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTMoveIt3.exe
[2009/02/26 20:05:07 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2009/02/26 20:05:07 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2009/02/26 08:12:02 | 00,508,956 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2009/02/26 08:12:02 | 00,432,356 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2009/02/26 08:12:02 | 00,067,312 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2009/02/26 08:08:13 | 00,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2009/02/26 08:07:40 | 00,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2009/02/26 08:07:37 | 00,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2009/02/25 22:23:07 | 00,023,244 | ---- | M] () -- C:\windows\System32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/25 22:23:07 | 00,023,244 | ---- | M] () -- C:\windows\System32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/25 22:23:07 | 00,018,648 | ---- | M] () -- C:\windows\System32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/25 22:23:07 | 00,018,648 | ---- | M] () -- C:\windows\System32\BMXState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
[2009/02/25 22:23:07 | 00,001,080 | ---- | M] () -- C:\windows\System32\settingsbkup.sfm
[2009/02/25 22:23:07 | 00,001,080 | ---- | M] () -- C:\windows\System32\settings.sfm
[2009/02/25 22:23:07 | 00,000,024 | ---- | M] () -- C:\windows\System32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
[2009/02/25 22:23:07 | 00,000,024 | ---- | M] () -- C:\windows\System32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
[2009/02/25 22:21:35 | 00,001,374 | ---- | M] () -- C:\windows\imsins.BAK
[2009/02/25 22:20:57 | 04,306,324 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/02/25 22:04:15 | 00,000,142 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RAPC Home.url
[2009/02/24 13:01:04 | 00,247,808 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\QUESTIONNAIRE, CNC Autism Intake Questionnaire, Version 3.doc
[2009/02/24 12:58:20 | 00,344,808 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\CNC Questionere.eml
[2009/02/23 22:09:02 | 00,000,047 | ---- | M] () -- C:\windows\webica.ini
[2009/02/23 20:20:38 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009/02/20 03:30:00 | 00,000,386 | ---- | M] () -- C:\windows\tasks\RegClean Scheduled Scan.job
[2009/02/19 20:30:15 | 00,001,755 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\SAS7_000.DAT
[2009/02/19 19:27:51 | 00,016,896 | ---- | M] () -- C:\windows\syssvc.exe
[2009/02/19 18:47:31 | 00,000,077 | ---- | M] () -- C:\windows\System32\drivers\etc\HOSTS
[2009/02/18 22:29:07 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/02/14 18:56:52 | 00,000,172 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SLC PACS.url
[2009/02/14 13:39:21 | 00,012,005 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\TOWACO WEATHER.url
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\Owner\Desktop\TOWACO WEATHER.url:favicon
[2009/02/12 17:08:49 | 00,054,156 | -H-- | M] () -- C:\windows\QTFont.qfn
[2009/02/12 13:12:04 | 00,000,690 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2009/02/11 20:43:59 | 00,127,704 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2009/02/11 18:30:50 | 00,023,320 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/02/11 18:30:47 | 00,002,435 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\directus.lnk
[2009/02/11 18:30:35 | 00,001,142 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp
[2009/02/11 10:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2009/02/11 10:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2009/02/10 21:59:42 | 00,001,240 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Stock Trading and Investing.url
@Alternate Data Stream - 894 bytes -> C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Stock Trading and Investing.url:favicon
[2009/02/10 21:58:08 | 00,028,482 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MARKETWATCH.url
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\Owner\Desktop\MARKETWATCH.url:favicon
[2009/02/10 14:24:43 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/10 12:55:00 | 00,000,227 | ---- | M] () -- C:\windows\system.ini
[2009/02/09 20:58:40 | 00,001,669 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus.lnk
[2009/02/09 20:45:33 | 00,000,164 | ---- | M] () -- C:\install.dat
[2009/02/09 19:50:35 | 00,000,028 | ---- | M] () -- C:\windows\ODBC.INI
[2009/02/03 18:21:12 | 21,244,864 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\MRT.exe
[2009/02/02 22:32:39 | 00,002,560 | ---- | M] () -- C:\windows\System32\drivers\mchInjDrv.sys
< End of report >


******************


Extras:

OTViewIt Extras logfile created on: 2/26/2009 8:19:58 PM - Run 3
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.30 Mb Total Physical Memory | 698.63 Mb Available Physical Memory | 68.27% Memory free
2.40 Gb Paging File | 2.12 Gb Available in Paging File | 88.22% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 55.90 Gb Free Space | 75.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GQ207MHA2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DisableNotifications"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/07/25 12:02:08 | 02,769,920 | ---- | M] () -- C:\Program Files\Supplement Review Worksheet\SupplementWorksheet.exe:*:Enabled:SupplementWorksheet
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Disabled:Sentinel Protection Server
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe:*:Disabled:Sentinel Keys Server
[2004/08/04 02:56:54 | 00,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe:*:Enabled:NTVDM.EXE
[2007/03/02 15:01:40 | 08,503,296 | ---- | M] (ADS) -- C:\Program Files\ADS\MedicsPremier\ADS.exe:*:Enabled:ADS
[2007/02/09 11:25:40 | 03,084,288 | ---- | M] (DBS GmbH) -- C:\Program Files\ADS\Transcription\Transcription.exe:*:Enabled:Transcription
[2007/02/09 11:24:42 | 05,828,608 | ---- | M] (Patterson, Gray & Associates, Inc.) -- C:\Program Files\ADS\PhysicianDesktop\PhysicianDesktop.exe:*:Enabled:PhysicianDesktop
File not found -- C:\WINDOWS\svcho.exe:*:Enabled:enable

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] -- C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
msdaipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09D4F215-8960-4E0E-A2CC-C5A062113503}"=Crazy Machines
"{10B3936F-0E93-4431-8E7B-3FEA5DAC88C3}"=Garmin Communicator Plugin
"{12383085-49EA-4BC9-8CD3-4A18EFDF9F81}"=LogMeIn
"{1A028EBB-EDF5-4DC6-ABD3-362D9941CBAC}"=AntiSpywareBot
"{21A564C8-55AD-426D-96A2-04954620D6B6}"=Medics Premier
"{28C69E01-0147-402D-A105-E423B359AB93}"=Medics Transcription
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}"=MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}"=Spy Sweeper Core
"{40570EBE-8E9D-456B-957A-C984A74C5D18}"=AntiSpywareBot
"{48435D4A-BDAF-4AC3-B172-B25F1AADE6C6}"=Driver & Utility
"{4BEFDA67-40AA-4882-91D3-6430C3B6B87E}"=directus
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}"=VPN Client
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=EOS Capture 1.2
"{75C023EC-64A0-44F7-9D99-C6F6E21EB6F0}"=Do More
"{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1"=Webroot AntiVirus with AntiSpyware
"{8380AB60-F13A-11D1-BA13-0060080329EF}"=IOC ViewStation
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{90840409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Excel Viewer 2003
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}"=Sound Blaster Audigy
"{92948172-2857-44BA-B254-5E23AE251C86}"=MT4.0
"{94357968-F644-4413-8243-13EF93A220D4}"=Physician's Desktop
"{95120000-00AF-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint Viewer 2007 (English)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}"=Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}"=Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}"=WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}"=Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}"=Nikon Message Center
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}"=Dragon NaturallySpeaking 9
"{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon Camera WIA Driver
"{EDFE2142-CFB3-44AB-A961-DE85F6408A28}"=Sentinel Protection Installer 7.3.2
"{F51D9393-BB14-4566-99BF-D6ED63AEFCD7}"=Natural Color
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}"=PictureProject
"Arthur's Reading Race"=Arthur's Reading Race
"CANONBJ_Deinstall_CNMCP69.DLL"=Canon PIXMA iP6000D
"CCleaner"=CCleaner (remove only)
"Citrix ICA Web Client"=Citrix ICA Web Client
"Dr Neubrander's Appointments_is1"=My Appointments
"Dr. Neubrander's Established Patient Packet_is1"=Dr. Neubrander's Established Patient Packet
"Dr. Seuss™ Kindergarten"=Dr. Seuss™ Kindergarten
"Easy-PhotoPrint"=Canon Utilities Easy-PhotoPrint
"EPSON Photo!3 Ver.1.40"=EPSON Photo!3
"ERUNT_is1"=ERUNT 1.1j
"FG_1.0"=1st Grade v1.0
"Gateway IE Customizations"=Gateway IE Customizations
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=Canon Utilities EOS Capture 1.2
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"InstallShield_{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon EOS 20D WIA Driver
"IrfanView"=IrfanView (remove only)
"JumpStart Advanced 1st Grade"=JumpStart Advanced 1st Grade
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Math 1"=Math 1
"Math 2"=Math 2
"Math Missions Grades K-2"=Math Missions Grades K-2
"Microsoft .NET Framework 3.5 SP1"=Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"PictureProject In Touch Downloader"=PictureProject In Touch Downloader 1.0
"PROSet"=Intel® PRO Ethernet Adapter and Software
"PX: {34E29B52-7A91-4D77-A91F-1131E1697C16}"=DoMore
"Reader Rabbit Reading Ages 6-9"=Reader Rabbit Reading Ages 6-9
"ShockwaveFlash"=Macromedia Flash Player 8
"SpywareBlaster_is1"=SpywareBlaster 4.1
"Supplement Review Worksheet_is1"=Supplement Review WorkSheet Ver 1.47
"Thinkin' Science"=Edmark - Thinkin' Science
"Viewer97"=Microsoft Word Viewer 97
"WIC"=Windows Imaging Component

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/11/2009 7:48:12 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:15 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:16 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:20 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/14/2009 7:53:54 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2009 7:54:56 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application ADS.exe, version 1.1.0.18, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:06:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:07:48 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/23/2009 7:24:42 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/23/2009 7:24:38 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/23/2009 7:24:42 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 2/24/2009 8:51:45 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/24/2009 8:51:45 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot

Error - 2/24/2009 8:01:23 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for Start with the following error:
%%5

Error - 2/24/2009 9:01:47 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for Start with the following error:
%%5

Error - 2/25/2009 1:22:03 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/25/2009 1:22:03 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot

Error - 2/26/2009 9:09:20 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/26/2009 9:09:20 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot


< End of report >

Thank you.

sd123



OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02262009_201621

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 28 February 2009 - 11:40 AM

Hi sd123,

:step1: The Jotti scan result means that we now need to kill that file and so we need to run OTMoveIt one more time.
  • Double click (or if your PC is running Vista, right-click and select Run As Adminstrator) the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\windows\syssvc.exe
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    :step4: Click here to download HijackThis.
    Save HJTInstall.exe to your Desktop.
    Double click on the HJTInstall.exe icon to start the program.
    By default it will install to C:\Program Files\Trend Micro\HijackThis
    After the final dialogue box it will launch HijackThis.

    Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click on antispywarebot and press the Delete This Entry button

    Make sure that you are selecting the correct program as these cannot be restored

    When you have removed this item close HijackThis.


    :) Copy the contents of the code box below into a new notepad document (not wordpad).
    Click file> save as...> call it reginfo.bat > file types *all files*> and save it to the desktop.
    regedit /e lsa-info.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
    start lsa-info.txt
    Double-click reginfo.bat to run it.

    Post back with the text that will open in notepad.
Please post a fresh DDS log too.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 sd123

sd123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 28 February 2009 - 12:46 PM

Hello m0le!

I apologise but I inadvertently closed OTMoveIt3 after successfully moving syssvc.exe.
The result only said that this file was successfully moved but did not specify where it was moved to.

HJT deleted Antispewarebot.

reginfo.bat results:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00
"LsaPid"=dword:000003c8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:68,03,86,ed,67,21,ad,d8,a7,77,ae,d3,73,b2,25,0a,63,37,63,35,61,\
61,33,35,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,02,e0,48,ff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:aa,18,2b,b0,2f,0a,00,43,d2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:02,fe,90,ab,29,26

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:02,9e,24,ea,0e,69,ea,f6,00,c3,4c,69,8e,eb,36,f5

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:80,03,9c,d7,9d,3b,c9,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

************************


OTVCewIT:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00
"LsaPid"=dword:000003c8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:68,03,86,ed,67,21,ad,d8,a7,77,ae,d3,73,b2,25,0a,63,37,63,35,61,\
61,33,35,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,02,e0,48,ff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:aa,18,2b,b0,2f,0a,00,43,d2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:02,fe,90,ab,29,26

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:02,9e,24,ea,0e,69,ea,f6,00,c3,4c,69,8e,eb,36,f5

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:80,03,9c,d7,9d,3b,c9,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:000000

********************

Extras:
OTViewIt Extras logfile created on: 2/28/2009 12:42:35 PM - Run 4
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.30 Mb Total Physical Memory | 705.74 Mb Available Physical Memory | 68.97% Memory free
2.40 Gb Paging File | 2.12 Gb Available in Paging File | 88.11% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 56.01 Gb Free Space | 75.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-GQ207MHA2
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DisableNotifications"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/07/25 12:02:08 | 02,769,920 | ---- | M] () -- C:\Program Files\Supplement Review Worksheet\SupplementWorksheet.exe:*:Enabled:SupplementWorksheet
[2006/12/21 06:30:02 | 00,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Disabled:Sentinel Protection Server
[2006/08/22 00:00:20 | 00,316,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe:*:Disabled:Sentinel Keys Server
[2004/08/04 02:56:54 | 00,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe:*:Enabled:NTVDM.EXE
[2007/03/02 15:01:40 | 08,503,296 | ---- | M] (ADS) -- C:\Program Files\ADS\MedicsPremier\ADS.exe:*:Enabled:ADS
[2007/02/09 11:25:40 | 03,084,288 | ---- | M] (DBS GmbH) -- C:\Program Files\ADS\Transcription\Transcription.exe:*:Enabled:Transcription
[2007/02/09 11:24:42 | 05,828,608 | ---- | M] (Patterson, Gray & Associates, Inc.) -- C:\Program Files\ADS\PhysicianDesktop\PhysicianDesktop.exe:*:Enabled:PhysicianDesktop
File not found -- C:\WINDOWS\svcho.exe:*:Enabled:enable

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] -- C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
msdaipp: [HKLM - No CLSID value]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
[2004/08/04 02:56:43 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09D4F215-8960-4E0E-A2CC-C5A062113503}"=Crazy Machines
"{10B3936F-0E93-4431-8E7B-3FEA5DAC88C3}"=Garmin Communicator Plugin
"{12383085-49EA-4BC9-8CD3-4A18EFDF9F81}"=LogMeIn
"{21A564C8-55AD-426D-96A2-04954620D6B6}"=Medics Premier
"{28C69E01-0147-402D-A105-E423B359AB93}"=Medics Transcription
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}"=MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}"=Spy Sweeper Core
"{48435D4A-BDAF-4AC3-B172-B25F1AADE6C6}"=Driver & Utility
"{4BEFDA67-40AA-4882-91D3-6430C3B6B87E}"=directus
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}"=VPN Client
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=EOS Capture 1.2
"{75C023EC-64A0-44F7-9D99-C6F6E21EB6F0}"=Do More
"{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1"=Webroot AntiVirus with AntiSpyware
"{8380AB60-F13A-11D1-BA13-0060080329EF}"=IOC ViewStation
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{90840409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Excel Viewer 2003
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}"=Sound Blaster Audigy
"{92948172-2857-44BA-B254-5E23AE251C86}"=MT4.0
"{94357968-F644-4413-8243-13EF93A220D4}"=Physician's Desktop
"{95120000-00AF-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint Viewer 2007 (English)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}"=Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}"=Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}"=WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}"=Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}"=Nikon Message Center
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}"=Dragon NaturallySpeaking 9
"{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon Camera WIA Driver
"{EDFE2142-CFB3-44AB-A961-DE85F6408A28}"=Sentinel Protection Installer 7.3.2
"{F51D9393-BB14-4566-99BF-D6ED63AEFCD7}"=Natural Color
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}"=PictureProject
"Arthur's Reading Race"=Arthur's Reading Race
"CANONBJ_Deinstall_CNMCP69.DLL"=Canon PIXMA iP6000D
"CCleaner"=CCleaner (remove only)
"Citrix ICA Web Client"=Citrix ICA Web Client
"Dr Neubrander's Appointments_is1"=My Appointments
"Dr. Neubrander's Established Patient Packet_is1"=Dr. Neubrander's Established Patient Packet
"Dr. Seuss™ Kindergarten"=Dr. Seuss™ Kindergarten
"Easy-PhotoPrint"=Canon Utilities Easy-PhotoPrint
"EPSON Photo!3 Ver.1.40"=EPSON Photo!3
"ERUNT_is1"=ERUNT 1.1j
"FG_1.0"=1st Grade v1.0
"Gateway IE Customizations"=Gateway IE Customizations
"HijackThis"=HijackThis 2.0.0
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{74BE7519-41A7-45A8-8AA6-78C7907A4808}"=Canon Utilities EOS Capture 1.2
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"InstallShield_{ED9775A0-383E-4EAA-8DA5-8CC6860D60A3}"=Canon EOS 20D WIA Driver
"IrfanView"=IrfanView (remove only)
"JumpStart Advanced 1st Grade"=JumpStart Advanced 1st Grade
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Math 1"=Math 1
"Math 2"=Math 2
"Math Missions Grades K-2"=Math Missions Grades K-2
"Microsoft .NET Framework 3.5 SP1"=Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"PictureProject In Touch Downloader"=PictureProject In Touch Downloader 1.0
"PROSet"=Intel® PRO Ethernet Adapter and Software
"PX: {34E29B52-7A91-4D77-A91F-1131E1697C16}"=DoMore
"Reader Rabbit Reading Ages 6-9"=Reader Rabbit Reading Ages 6-9
"ShockwaveFlash"=Macromedia Flash Player 8
"SpywareBlaster_is1"=SpywareBlaster 4.1
"Supplement Review Worksheet_is1"=Supplement Review WorkSheet Ver 1.47
"Thinkin' Science"=Edmark - Thinkin' Science
"Viewer97"=Microsoft Word Viewer 97
"WIC"=Windows Imaging Component

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/11/2009 7:48:12 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:15 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:16 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/11/2009 7:48:20 PM | Computer Name = OWNER-GQ207MHA2 | Source = MsiInstaller | ID = 11308
Description = Product: Antispyware -- Error 1308. Source file not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS318.tmp\Antispyware\SpyCleaner.dll.
Verify that the file exists and that you can access it.

Error - 2/14/2009 7:53:54 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2009 7:54:56 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application ADS.exe, version 1.1.0.18, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:06:19 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2009 8:07:48 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/23/2009 7:24:42 PM | Computer Name = OWNER-GQ207MHA2 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/24/2009 8:01:23 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for Start with the following error:
%%5

Error - 2/24/2009 9:01:47 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for Start with the following error:
%%5

Error - 2/25/2009 1:22:03 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/25/2009 1:22:03 PM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot

Error - 2/26/2009 9:09:20 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/26/2009 9:09:20 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot

Error - 2/27/2009 8:23:58 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/27/2009 8:23:58 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot

Error - 2/28/2009 11:25:03 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 2/28/2009 11:25:03 AM | Computer Name = OWNER-GQ207MHA2 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
antispywarebot


< End of report >

Thank you again.

sd123

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 03 March 2009 - 12:37 PM

Hi sd123,

:step5: Let's make sure OTMoveIt has got it. :)

Open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


:step4: Next Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!


:) Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
:step1: Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


:) Finally, can you please post a new DDS log.


Just to recap that's:
  • The OTMoveIt log
  • The CCleaner run
  • The Kaspersky log
  • The Java update
  • the DDS log
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 sd123

sd123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 04 March 2009 - 08:27 PM

Ola m0le!

I apologise again. Somehow I managed to delete the .log files in OTMoveIt. In any event, they are no longer visible in Moved Files. However, I was able to find syssvc.exe in a Windows file in Moved Files but cannot copy/paste it. I tried (foolishly) to open it but Spysweeper went wild and thankfully stopped me. As you can imagine, I am not an experienced computer user.
How should I proceed?

sd123




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users