Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Something


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dallient Climber

Dallient Climber

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 06 May 2008 - 12:08 PM

I opened up Internet Explorer yesterday and my homepage was changed. I also started getting various debug errors that caused IE to crash. I used ad aware and found nothing. I used spybot S&D and it found several malware programs including TelekomBill.Fake, Banker, Cimuz, DeepDive & Smitfraud.C Ebay bill.

I ran Kapersky for critical areas and found:

Tuesday, May 06, 2008 11:28:52 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 742492


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\xxxxxxxx\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 24007
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:13:28

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\CcmExec.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\CertificateMaintenance.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\LocationServices.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\mtrmgr.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PatchInstall.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\Scheduler.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\StatusAgent.log Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000007V.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000007V.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000009.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000009.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000012.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000012.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000000P.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000000P.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000008A.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000008A.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\0000000E.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\0000000E.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\00000177.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\00000177.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000039.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000039.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\000000BF.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\000000BF.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000003.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000003.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000P.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000P.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\0000000X.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\0000000X.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000002.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000002.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000003.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000003.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\000000AX.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\000000AX.que Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\Software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\System.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\m046978\LOCALS~1\Temp\ExchangePerflog_8484fa3172f331303241b085.dat Object is locked skipped

C:\DOCUME~1\m046978\LOCALS~1\Temp\~DF4E2B.tmp Object is locked skipped

C:\DOCUME~1\m046978\LOCALS~1\Temp\~DF4E36.tmp Object is locked skipped

Scan process completed.

Then I ran DSS and found:

Main

Deckard's System Scanner v20071014.68
Run by xxxxxx on 2008-05-06 11:29:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
90: 2008-05-06 16:29:39 UTC - RP644 - Deckard's System Scanner Restore Point
89: 2008-05-06 15:34:18 UTC - RP643 - System Checkpoint
88: 2008-05-05 00:48:59 UTC - RP642 - System Checkpoint
87: 2008-05-04 00:36:56 UTC - RP641 - System Checkpoint
86: 2008-05-03 00:12:55 UTC - RP640 - System Checkpoint


-- First Restore Point --
1: 2008-02-05 18:00:16 UTC - RP555 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-06 11:34:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\DWRCST.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Citrix\ICA Client\pnamain.exe
C:\Program Files\Hardcopy\hardcopy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\C5670XU7\dss[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA9732] command /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7973] cmd /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [KlipFolio] "C:\Program Files\KlipFolio\KlipFolio.exe" /BOOT
O4 - HKCU\..\RunOnce: [SpybotDeletingB549] command /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3834] cmd /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"
O4 - Startup: Hardcopy.LNK = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Help Update.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O15 - Trusted Zone: http://www.hostlink.eds.com (HKLM)
O15 - Trusted Zone: http://fsnccma (HKLM)
O15 - Trusted Zone: http://www.hostlink.eds.com (HKCU)
O15 - Trusted Zone: http://fsnccma (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.inforumonline.com/router/citrix/webclient.cab
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - http://fsntelrad/ami/install/amiconference.cab
O16 - DPF: {3591A50D-18FD-42BC-8D10-6C93BDAF2DA0} (Data Dynamics #Grid 2.0 (ICursor)) - http://esig/exv/pws2/cab/sg20.ocx
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {4B4F8F8F-9CE3-4C54-BDB7-66F44E2F62A1} (IChartDocMngr Control) - http://esig/exv/installs/iChartDocMngr.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129748895479
O16 - DPF: {7814BDAA-A125-44BB-A3F4-BE87D8767AFF} (Bridge Class) - http://esig/exv/pws2/wordcnt/wordcnt.cab
O16 - DPF: {78C21026-00DD-42FF-8FE3-94BDB929B9B8} (PSMike Control) - http://esig/exv/installs/PSMike.cab
O16 - DPF: {792A484F-C378-4B63-AD28-EF4FD490F00E} (IChartLogger Control) - http://esig/exv/installs/iChartLogger.ocx
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://fsnweb1/TSWeb/msrdp.cab
O16 - DPF: {93BE011C-F234-4070-886D-A5F9D4D712AE} (IChartConfig Control) - http://esig/exv/installs/iChartConfig.ocx
O16 - DPF: {95A451DA-30B8-4459-87C2-595423821CAE} (IChartPlayer Control) - http://esig/exv/installs/iChartPlayer.ocx
O16 - DPF: {C77E5943-BF77-479A-8BB6-F96A3855D4D8} (RouterTools.AutoAttestation) - https://www.inforumonline.com/router/RouterTools.CAB
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - http://fsntaweb1/wfcstatic/plugins/jre-1_5...dows-i586-p.exe
O16 - DPF: {CB320D1A-2077-4C5C-94E1-5BDA366593EE} (IChartRtfViewer Control) - http://esig/exv/installs/iChartRtfViewer.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pressganey.webex.com/client/T25L/event/ieatgpc.cab
O16 - DPF: {F60EA672-8783-4643-80A7-FC250647DBD2} (IChartLifeSupport Control) - http://esig/exv/installs/iChartLifeSupport.ocx
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA6)) - http://fsntelrad/ami/install/amiviewer.cab
O17 - HKLM\Software\..\Telephony: DomainName = mfad.mfroot.org
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = mfad.mfroot.org
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = mfad.mfroot.org
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


--
End of file - 12215 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\xxxxxx\locals~1\temp\catchme.sys (file missing)
S3 NAVENG - c:\progra~1\common~1\symant~1\virusd~1\20071202.001\naveng.sys (file missing)
S3 NAVEX15 - c:\progra~1\common~1\symant~1\virusd~1\20071202.001\navex15.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DWMRCS (DameWare Mini Remote Control) - c:\windows\system32\dwrcs.exe -service <Not Verified; DameWare Development LLC; DameWare Development DWRCS>
R2 MySql - c:\mysql\bin\mysqld-nt.exe
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-06 and 2008-05-06 -----------------------------

2008-05-06 10:18:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 10:18:19 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 10:18:17 0 d-------- C:\WINDOWS\LastGood
2008-05-06 10:13:05 0 d-------- H:\Deckard
2008-05-06 09:29:06 0 d-------- C:\Documents and Settings\xxxxxx\Application Data\Lavasoft
2008-05-06 08:29:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-06 08:29:45 0 d-------- C:\Documents and Settings\xxxxxx\Application Data\Mozilla
2008-05-05 09:25:20 91864 --a------ C:\WINDOWS\system32\tlntsess.dll
2008-04-25 13:19:27 0 d-------- C:\Program Files\MSECache
2008-04-22 16:30:39 0 d-------- C:\Documents and Settings\xxxxxx\Application Data\Citrix
2008-04-11 07:35:24 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-06 10:08:42 0 d-------- C:\Documents and Settings\xxxxxx\Application Data\KlipFolio
2008-05-06 09:28:51 0 d-------- C:\Program Files\Lavasoft
2008-05-02 16:33:56 0 d-------- C:\Program Files\Hardcopy
2008-05-01 14:50:28 0 d-------- C:\Program Files\SPSS
2008-04-15 14:18:06 73 --a------ C:\WINDOWS\system32\ssprs.dll
2008-04-15 14:18:06 0 d-------- C:\Program Files\SPSS Text Analysis for Surveys
2008-04-14 21:51:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-14 13:09:09 0 d-------- C:\Program Files\QuickTime
2008-03-31 08:59:59 0 d-------- C:\Documents and Settings\xxxxxx\Application Data\ICAClient
2008-03-27 12:35:43 0 d-------- C:\Program Files\Common Files
2008-03-19 09:58:44 0 d-------- C:\Documents and Settings\xxxxxx\Application Data\WebEx
2008-03-17 15:24:51 0 d-------- C:\Program Files\Java
2008-03-07 11:43:50 0 d-------- C:\Program Files\Google
2008-03-07 11:38:06 13036 --a------ C:\Documents and Settings\xxxxxx\Application Data\Comma Separated Values (DOS).CAL
2008-03-06 15:50:54 0 d-------- C:\Program Files\Citrix
2008-02-12 13:59:02 202827 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/05/2005 09:19 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [02/12/2004 12:49 PM]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [08/10/2002 05:20 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/14/2008 01:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/28/2007 12:45 PM]
"KlipFolio"="C:\Program Files\KlipFolio\KlipFolio.exe" [12/28/2007 12:49 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB549"=command /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"
"SpybotDeletingD3834"=cmd /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA9732"=command /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"
"SpybotDeletingC7973"=cmd /c del "C:\WINDOWS\system32\bho.dll_tobedeleted_old"

C:\Documents and Settings\xxxxxx\Start Menu\Programs\Startup\
Hardcopy.LNK - C:\Program Files\Hardcopy\hardcopy.exe [10/12/2005 1:19:36 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 1:05:26 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [12/28/2007 12:45:49 PM]
Help Update.lnk - C:\FSH95L\gp00\bin\xfer95L.exe [7/29/2006 5:11:42 AM]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{42ACCB45-3363-47E0-94E9-F0074CC8BC56}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [3/6/2008 3:51:03 PM]




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7631 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-06 11:34:56 ------------

Extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1014.07 MiB / 471.49 MiB
Pagefile Memory (total/avail): 2444.59 MiB / 2104.56 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.53 MiB

C: is Fixed (NTFS) - 74.46 GiB total, 53.1 GiB free.
D: is CDROM (CDFS)
E: is Removable (FAT32)
G: is Network (NTFS)
H: is Network (NTFS)
I: is Network (NTFS)
J: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST3808110AS - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 74.46 GiB - C:

\\.\PHYSICALDRIVE1 - USB Flash Memory USB Device - 3.73 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 3.73 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\FSH95L\\gp00\\bin\\xfer95L.exe"="C:\\FSH95L\\gp00\\bin\\xfer95L.exe:*:Enabled:Xfer"
"C:\\Program Files\\SPSSInc\\SPSS16\\spss.com"="C:\\Program Files\\SPSSInc\\SPSS16\\spss.com:*:Disabled:SPSS 16.0 for Windows (1033:com)"
"C:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"="C:\\Program Files\\SPSSInc\\SPSS16\\spss.exe:*:Disabled:SPSS 16.0 for Windows (1033:exe)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\xxxxxx\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=xxxxxxx
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\
HOMESHARE=\\xxxxxxxxx\xxxxxx$
LOGONSERVER=\\xxxxxxx
LSHOST=fsn_b
MAYO_AD_COMPUTER_DN=CN=xxxxxx,OU=MANAGED COMPUTERS,OU=COMPUTERS,OU=LSE,DC=MFAD,DC=MFROOT,DC=ORG
MAYO_AD_COMPUTER_OU=MANAGED COMPUTERS
MAYO_AD_LOGONSERVER=MFADIR80
MAYO_AD_SITE_NAME=LaCrosse-Client
MAYO_AD_USER_DN=CN=xxxxxx,OU=USERS,OU=LSE,DC=MFAD,DC=MFROOT,DC=ORG
MAYO_AD_USER_OU=USERS
MAYO_COMPUTER_DOMAIN_NAME=MFAD
MAYO_COMPUTER_NAME=xxxxxxxx
MAYO_DISPLAY_MONITORS=1
MAYO_DISPLAY_RESOLUTION=1024X768
MAYO_MCR_DEPARTMENT=NONE
MAYO_MCR_FUNCTION=NON-EED
MAYO_MCR_STARTMENU=NONE
MAYO_OS_FUNCTION=WORKSTATION
MAYO_OS_PLATFORM=WINDOWS_NT
MAYO_OS_SP_VER=2.0
MAYO_OS_VER=5.1
MAYO_REMOTE_SESSION=FALSE
MAYO_SYSTEM_MOBILE=FALSE
MAYO_SYSTEM_TABLET=FALSE
MAYO_USER_DOMAIN_NAME=MFAD
MAYO_USER_NAME=xxxxxx
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator;;c:\mysql\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SPSSWNHOME=C:\Program Files\SPSS Text Analysis for Surveys\dict
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\xxxxxx\LOCALS~1\Temp
TMP=C:\DOCUME~1\xxxxxx\LOCALS~1\Temp
USERDNSDOMAIN=MFAD.MFROOT.ORG
USERDOMAIN=MFAD
USERNAME=xxxxxx
USERPROFILE=C:\Documents and Settings\xxxxxxx
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

xxxxxxx (new local, net ready)
xxxxxxx (new local, net ready)
xxxxxxx
xxxxxxx (admin)
xxxxxxx (admin)
xxxxxxx
xxxxxxx
xxxxxxx (admin)
xxxxxxx (new local, net ready)
xxxxxxx (new local, admin, net ready)
xxxxxxx (admin)
xxxxxxx (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{23FDE075-0CA4-440C-BCF2-0E93F8ADDB3D}
--> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5064C4D7-156F-4F5C-A2F7-1F04F94E788F}
--> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{55225B90-7A64-4780-84A5-6E4C9CFB3650}
--> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7DFB9090-59A9-4B4C-94F4-AA2EE1C4913F}
--> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E275271A-08AA-439A-A5CE-346FEBB0823D}
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL3.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL4.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL6.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
BusinessMAP 4.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B9EEC87A-7F7A-45C4-9B0E-01B96C7C2AAD}
Citrix Presentation Server Client --> MsiExec.exe /I{42ACCB45-3363-47E0-94E9-F0074CC8BC56}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DataBay Navigate --> MsiExec.exe /X{1DFCCE0E-F266-415F-AD4D-274A77F4C6EE}
DataBay Navigate --> MsiExec.exe /X{E4BA1E66-34FE-42BD-9597-8337B4E83627}
DataBay Navigate --> MsiExec.exe /X{F35E5225-D714-48B5-B757-8BF3803F3E21}
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
Document Direct --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Franciscan Skemp Healthcare\Document Direct\Uninst.isu"
FSH Crystal Viewer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0FDC4C0-2FA2-11D1-8CD6-0004AC7460DD}\setup.exe" -uninst
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HorizonŽ Practice Plus 9.5 - Live --> "C:\UNINSTAL.EXE" "C:\INSTALL.LOG" "HorizonŽ Practice Plus 9.5 - Live Uninstall"
HP RISS Outlook PlugIn --> MsiExec.exe /X{5E674AD4-6D00-449E-803B-063A74FC8F3F}
IBM iSeries Access for Windows --> "C:\Program Files\IBM\Client Access\cwbinarp.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KlipFolio (remove only) --> "C:\Program Files\KlipFolio\KlipFolio.exe" /UNINSTALL
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MetaFrame Presentation Server Web Client for Win32 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wficat.inf,DefaultUninstall
Microsoft Office Access 2003 --> MsiExec.exe /I{90150409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MySQL Servers and Clients 4.0.15 --> C:\WINDOWS\IsUninst.exe -fC:\mysql\Uninst.isu
NetTerm --> C:\WINDOWS\uninst.exe -f"C:\Program Files\netterm\DeIsL1.isu"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
SPSS 15.0 for Windows --> MsiExec.exe /X{15B25E12-3E5F-4C13-A637-9EC72A55491E}
SPSS 16.0 for Windows --> MsiExec.exe /X{621025AE-3510-478E-BC27-1A647150976F}
SPSS Text Analysis for Surveys 1.0 --> C:\Program Files\SPSS Text Analysis for Surveys\_uninst\uninstall_stas.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
U.S. Shaded Relief --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{992105F3-548F-4276-BA17-CAF77B3BF085}
Uninstall Hardcopy --> SwSetupu C:\WINDOWS\Hardcopy.del
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4564 / Error
Event Submitted/Written: 05/06/2008 08:55:56 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application EXCEL.EXE, version 11.0.6560.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4563 / Error
Event Submitted/Written: 05/06/2008 08:22:33 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4562 / Error
Event Submitted/Written: 05/06/2008 08:20:17 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4559 / Warning
Event Submitted/Written: 05/06/2008 07:57:16 AM
Event ID/Source: 22 / Norton AntiVirus
Event Description:
Symantec AntiVirus Realtime Protection failed to load.

Event Record #/Type4554 / Error
Event Submitted/Written: 05/05/2008 10:26:43 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10294 / Warning
Event Submitted/Written: 05/05/2008 08:17:09 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server ldap/mfadir80.mfad.mfroot.org/mfad.mfroot.org@mfad.mfroot.org. No authentication protocol was available.

Event Record #/Type10293 / Warning
Event Submitted/Written: 05/05/2008 06:30:09 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server ldap/mfadir81.mfad.mfroot.org/mfad.mfroot.org@mfad.mfroot.org. No authentication protocol was available.

Event Record #/Type10292 / Warning
Event Submitted/Written: 05/05/2008 04:39:09 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server ldap/mfadir81.mfad.mfroot.org/mfad.mfroot.org@mfad.mfroot.org. No authentication protocol was available.

Event Record #/Type10291 / Warning
Event Submitted/Written: 05/05/2008 02:54:08 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server ldap/mfadir81.mfad.mfroot.org/mfad.mfroot.org@mfad.mfroot.org. No authentication protocol was available.

Event Record #/Type10290 / Warning
Event Submitted/Written: 05/05/2008 01:04:08 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server ldap/mfadir81.mfad.mfroot.org/mfad.mfroot.org@mfad.mfroot.org. No authentication protocol was available.



-- End of Deckard's System Scanner: finished at 2008-05-06 11:34:56 ------------



Please let me know if you need anything else.

Thanks!

-DC

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:38 PM

Posted 30 May 2008 - 10:46 AM

ello,

You might want to save this page on your favorites, so you can find it again when you return.

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to.

If you have not resolved this issue and still need assistance, post a HJT log as your system may have changed since your original post.

Thanks for your patience. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:38 PM

Posted 04 June 2008 - 04:44 AM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users