Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Review My Logs - Not Sure If I Have A Bug


  • This topic is locked This topic is locked
14 replies to this topic

#1 bmillion

bmillion

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 11 June 2008 - 04:35 PM

Hello:

I've followed stickies under the assumption that I had a bug. Also did a defrag. Kapersky did not find anything. Puter acting real slow to launch appy's. Even put more DRAM in machine - but doesn't seem to make any difference. Would appreciate any thoughts folks may have.

Deckard's System Scanner v20071014.68
Run by XXXXXXXXXXXXXX on 2008-06-11 17:02:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System ResXXXe --------------------------------------------------------------

System ResXXXe is disabled; attempting to re-enable...failed; access is denied.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as XXXXXXXXXXXXXX.exe) ----------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-11 17:04:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\Shared Files\residentAgent.exe
C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\XDDClient.exe
C:\Program Files\LANDesk\LDClient\rcgui.exe
C:\Program Files\LANDesk\LDClient\collecXXX.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Program Files\LANDesk\LDClient\SoftMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\LANDesk\LDClient\WebPortal\SDClientMoniXXX.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\DOCUME~1\XXXXXXXX~1.XXX\LOCALS~1\Temp\tsc.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\X1\textExtracXXX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\XXXXXXXXXXXXXX\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [LANDeskInvenXXXyClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=XXXXXXXX.XX.XXX.XXXXXXXXXXXXXX.com:5007 /S=XXXXXXXX.XX.XXX.XXXXXXXXXXXXXX.com /I=HTTP://XXXXXXXX.XX.XXX.XXXXXXXXXXXXXX.com/ldlogon/ldappl3.ldz /NOUI /rstart=60
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /rstart=60
O4 - HKLM\..\Run: [SDClientMoniXXX] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmoniXXX.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\XXXXXXXXXXXXXX\Local Settings\Application Data\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [tsc] C:\DOCUME~1\XXXXXXXX~1.XXX\LOCALS~1\Temp\tsc.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: X1 System Tray.lnk = C:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
O4 - Global Startup: AuXXXunsDisabled
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Documents and Settings\XXXXXXXXXXXXXX\Desktop\port-oee492670\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Documents and Settings\XXXXXXXXXXXXXX\Desktop\port-oee492670\Add_AllO.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\Software\..\Telephony: DomainName = XX.XXX.XXXXXXXXXXXXXX.com
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = XX.XXX.XXXXXXXXXXXXXX.com
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = XX.XXX.XXXXXXXXXXXXXX.com
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = XX.XXX.XXXXXXXXXXXXXX.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentAgent.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk® Extended device discovery service (LDXDD) - Unknown owner - C:\Program Files\LANDesk\LDClient\XDDClient.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: LANDesk® Software MoniXXXing Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\SoftMon.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O24 - Desktop Component 0: -

--
End of file - 14063 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*
.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ISODrive (ISO DVD/CD-ROM Device Driver) - c:\program files\ultraiso\drivers\isodrive.sys <Not Verified; EZB Systems, Inc.; ISODrive>
R2 DLPORTIO - c:\windows\dlportio.sys
R3 WOEM_3_2a (WinPcap Packet Driver (WOEM_3_2a)) - c:\windows\system32\drivers\woem_3_2a.sys (file missing)

S3 libusb0 (LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1) - c:\windows\system32\drivers\libusb0.sys
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys (file missing)
S3 TPPWRIF - c:\documents and settings\all users\application data\vulscan\tppwrif.sys
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CBA8 (LANDesk® Management Agent) - "c:\program files\landesk\shared files\residentagent.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk® Management Agent>
R2 IFXSpMgtSrv (Security Platform Management Service) - c:\windows\system32\ifxspmgt.exe <Not Verified; Infineon Technologies AG; Infineon TPM Software>
R2 IFXTCS (Trusted Platform Core Service) - c:\windows\system32\ifxtcs.exe <Not Verified; Infineon Technologies AG; Infineon TPM Software>
R2 Intel Local Scheduler Service - "c:\program files\landesk\ldclient\localsch.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; LANDesk Software Ltd.; Intel Common Base Agent>
R2 Intel Targeted Multicast (LANDesk Targeted Multicast) - c:\program files\landesk\ldclient\tmcsvc.exe <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 ISSUSER (LANDesk Remote Control Service) - c:\progra~1\landesk\ldclient\issuser.exe /service <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 LDXDD (LANDesk® Extended device discovery service) - "c:\program files\landesk\ldclient\xddclient.exe" <Not Verified; ; LANDesk Software>
R2 Softmon (LANDesk® Software MoniXXXing Service) - "c:\progra~1\landesk\ldclient\softmon.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000
Service: BTWDNDIS


-- Files created between 2008-05-11 and 2008-06-11 -----------------------------

2008-06-11 09:26:29 0 dr-h----- C:\Documents and Settings\XXXXXXXXXXXXXX\Recent
2008-06-11 08:26:29 0 d-------- C:\WINDOWS\Replay Media Catcher
2008-06-10 15:35:19 19968 --a------ C:\WINDOWS\system32\avutil-49.dll
2008-06-10 15:35:18 448512 --a------ C:\WINDOWS\system32\avformat-50.dll
2008-06-10 15:35:18 3345408 --a------ C:\WINDOWS\system32\avcodec-51.dll
2008-06-10 15:35:18 0 d-------- C:\Program Files\Common Files\Eltima Shared
2008-06-10 15:35:16 0 d-------- C:\Program Files\Eltima Software
2008-06-10 15:09:52 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Eltima Software
2008-06-10 15:09:50 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 14:52:04 0 d-------- C:\Program Files\Real Alternative
2008-06-10 14:52:04 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Real
2008-06-10 14:52:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-06-10 14:49:32 0 d-------- C:\Program Files\WinAVIVideoConverter
2008-06-09 12:41:46 0 d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-06-09 12:41:45 0 d-------- C:\Program Files\GiPo@Utilities
2008-06-09 10:05:04 0 d-------- C:\Program Files\Replay Media Catcher
2008-06-05 12:01:23 129024 --a------ C:\WINDOWS\system32\AVERM.dll
2008-06-05 12:01:23 28672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-06-05 12:01:21 0 d-------- C:\Program Files\Ultra Mobile 3GP Video Converter
2008-06-04 12:32:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 12:32:07 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 21:03:36 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2008-06-03 12:01:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-03 10:22:35 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Research In Motion
2008-06-03 10:15:04 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-03 10:14:54 0 d-------- C:\Program Files\Roxio
2008-06-03 10:11:24 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Blackberry Desktop
2008-06-03 10:11:03 0 d-------- C:\Program Files\Common Files\Research In Motion
2008-06-03 10:04:56 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-02 14:40:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 10:03:08 0 d-------- C:\OutputFolder
2008-06-01 18:54:34 0 d-------- C:\Offline Explorer
2008-05-31 16:30:50 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\SuperBot
2008-05-31 16:15:34 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\WebStripper
2008-05-31 16:15:32 0 d-------- C:\Program Files\Solent
2008-05-30 22:43:15 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-30 20:38:42 0 d-------- C:\Program Files\CamStudio
2008-05-30 19:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 19:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:11:06 0 d-------- C:\Program Files\Stellant
2008-05-30 10:10:41 0 d-------- C:\Program Files\X1
2008-05-26 17:21:43 0 d-------- C:\VondsVibe
2008-05-26 16:58:29 0 d-------- C:\Program Files\infallsoft
2008-05-22 18:22:18 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 18:19:46 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 18:19:46 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 18:18:54 12288 --a----c- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-21 14:09:59 0 d-------- C:\Program Files\AT&W
2008-05-21 14:09:32 0 d-------- C:\WINDOWS\system32\windows media
2008-05-21 14:09:26 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-05-21 14:09:22 0 d-------- C:\Program Files\Windows Media Components
2008-05-21 14:06:32 0 d-------- C:\Program Files\Visible Light
2008-05-21 10:23:27 0 d-------- C:\Program Files\WinMX
2008-05-21 10:20:24 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Apple Computer
2008-05-21 08:25:42 2924 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-05-14 14:11:23 0 d-------- C:\Program Files\WMR11


-- Find3M Report ---------------------------------------------------------------

2008-06-11 09:22:52 0 d-------- C:\Program Files\DivX
2008-06-11 08:31:44 256 --a----c- C:\WINDOWS\system32\pool.bin
2008-06-11 07:00:04 0 d-------- C:\Program Files\LogMeIn
2008-06-10 15:35:18 0 d-------- C:\Program Files\Common Files
2008-06-10 10:58:11 0 d-------- C:\Program Files\Windows Desktop Search
2008-06-06 14:24:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 17:37:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-03 12:34:24 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Roxio
2008-06-03 10:15:40 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-03 07:50:45 0 d-------- C:\Program Files\Java
2008-06-03 07:50:06 0 d-------- C:\Program Files\Google
2008-05-30 22:49:13 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Adobe
2008-05-21 14:06:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-03 22:57:48 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\dvdcss
2008-05-01 11:19:50 0 d-------- C:\Program Files\McAfee
2008-05-01 11:19:50 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-30 14:17:27 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Serious Magic
2008-04-25 17:06:59 0 d-------- C:\Program Files\DrillDraw 6
2008-04-25 14:06:04 0 d-------- C:\Program Files\SlySoft
2008-04-22 17:57:41 0 dr------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Brother
2008-04-18 10:08:22 0 d-------- C:\Documents and Settings\XXXXXXXXXXXXXX\Application Data\Macromedia
2008-04-18 10:07:47 0 d-------- C:\Program Files\Common Files\Macromedia
2008-04-08 08:33:02 760 --a----c- C:\WINDOWS\system32\install_dlportio.bat
2008-04-08 08:33:01 176 --a----c- C:\WINDOWS\system32\status_dlportio.bat
2008-04-08 08:33:00 27460 --a----c- C:\WINDOWS\system32\loaddrv.exe
2008-04-08 08:33:00 34816 --a----c- C:\WINDOWS\system32\Dlportio.dll <Not Verified; Scientific Software Tools, Inc.; DriverLINX Port I/O Driver>
2008-04-08 08:33:00 3584 --a----c- C:\WINDOWS\Dlportio.sys
2008-03-28 17:39:16 96 --a------ C:\HtmTemp.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LANDeskInvenXXXyClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [04/01/2008 07:39 PM]
"LANDeskVulscanClient"="C:\Program Files\LANDesk\LDClient\vulScan.exe" [05/02/2008 10:32 AM]
"SDClientMoniXXX"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmoniXXX.exe" [29/11/2007 11:40 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [14/09/2007 10:32 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [14/09/2007 10:32 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [14/09/2007 08:29 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 05:22 PM]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [11/05/2007 03:08 AM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 05:06 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [13/07/2006 09:12 AM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [03/08/2007 04:09 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [05/01/2007 06:36 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [16/10/2007 08:50 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [08/05/2007 04:24 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 AM]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [23/04/2007 11:43 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"Mail.com"="C:\Program Files\mail.com\mcalert.exe" [25/06/2007 04:14 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [11/09/2006 05:40 AM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [18/04/2008 11:16 AM]
"Windows Live FolderShare"="C:\Documents and Settings\XXXXXXXXXXXXXX\Local Settings\Application Data\FolderShare\FolderShare.exe" [15/04/2008 02:15 PM]
"tsc"="C:\DOCUME~1\XXXXXXXX~1.XXX\LOCALS~1\Temp\tsc.exe" []
"mount.exe"="C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe" [11/04/2008 04:17 PM]

C:\Documents and Settings\XXXXXXXXXXXXXX\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [02/10/2007 1:16:42 PM]
X1 System Tray.lnk - C:\Program Files\X1\X1Systray.exe [30/05/2008 10:10:54 AM]
X1.lnk - C:\Program Files\X1\X1.exe [30/05/2008 10:10:54 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [02/10/2007 1:16:42 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideShutdownScripts"=1 (0x1)
"RunLogonScriptSync"=1 (0x1)
"HideStartupScripts"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=1 (0x1)
"HideLogoffScripts"=1 (0x1)
"RunLogonScriptSync"=1 (0x1)
"HideLogonScripts"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"Intellimenus"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
IfxWlxEN.dll 03/03/2006 04:08 PM 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 15/11/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=NALDAgent_Shutdown_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=NALDAgent_Startup_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\SysVol\XX.XXX.XXXXXXXXXXXXXX.com\scripts\XXX\XXBays\MCL\startup\global_startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\1]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\SysVol\XX.XXX.XXXXXXXXXXXXXX.com\scripts\XXX\XXBays\MCL\startup\borealis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\2]
"Script"=\\XXXzzz61\apps\EQUITRAC\setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\3]
"Script"=\\XXXzzz61\apps\KB903234\install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=TZMove.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=LD_InvenXXXy_v1.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\0\0]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\SysVol\XX.XXX.XXXXXXXXXXXXXX.com\scripts\Outlook_2003_Registry_Fixes.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\0]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\netlogon\XXX\XXBays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\1]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\netlogon\XXX\XXBays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\2]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\SysVol\XX.XXX.XXXXXXXXXXXXXX.com\scripts\XXX\XXBays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\3]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\NETLOGON\XXX\XXBays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\0]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\netlogon\XXX\XXBays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\1]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\netlogon\XXX\XXBays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\2]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\SysVol\XX.XXX.XXXXXXXXXXXXXX.com\scripts\XXX\XXBays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\3]
"Script"=\\XX.XXX.XXXXXXXXXXXXXX.com\NETLOGON\XXX\XXBays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad784fea-31a2-11dd-bf2e-001641b9b85d}]
AuXXXun\command- G:\_MyPendrive\MyPendrive.exe
MyPendrive\command- G:\_MyPendrive\MyPendrive.exe
progr0\command- G:\CD_ROOT\CD_Start.exe




-- End of Deckard's System Scanner: finished at 2008-06-11 17:07:34 ------------




Here is the EXTRA.txt File output.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 2039.36 MiB / 1165.34 MiB
Pagefile Memory (total/avail): 2926.32 MiB / 2351.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.73 MiB

C: is Fixed (NTFS) - 18.63 GiB total, 9.49 GiB free.
D: is Fixed (NTFS) - 37.27 GiB total, 15.82 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
H: is Network (NTFS)
K: is Network (NTFS)
R: is Network (NTFS)
S: is Network (NTFS)
T: is Network (NTFS)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST96812AS - 55.9 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 18.63 GiB - C:
\PARTITION1 - Installable File System - 37.27 GiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\cba\\pds.exe"="C:\\WINDOWS\\system32\\CBA\\pds.exe:*:enabled:LANDesk® Ping Discovery Service"
"C:\\WINDOWS\\system32\\msgsys.exe"="C:\\WINDOWS\\system32\\msgsys.exe:*:Enabled:LANDesk Message Service"
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"="C:\\Program Files\\LANDesk\\LDClient\\issuser.exe:*:Enabled:LANDesk Remote Control Agent"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:enabled:LANDesk® Targeted Multicast Client"
"%windir%\\system32\\msgsys.exe"="%windir%\\system32\\msgsys.exe:*:enabled:LANDesk® CBA Message System"
"C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe"="C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe:*:enabled:Remote Control Agent"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"="C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Documents and Settings\\XXXXXXXXX\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"="C:\\Documents and Settings\\XXXXXXXXX\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe:*:Enabled:Windows Live FolderShare Beta"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk® Management Agent"
"C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe"="C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe:*:Enabled:XDDClient"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\CBA\\pds.exe"="C:\\WINDOWS\\system32\\CBA\\pds.exe:*:enabled:LANDesk® Ping Discovery Service"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:enabled:LANDesk® Targeted Multicast Client"
"%windir%\\system32\\msgsys.exe"="%windir%\\system32\\msgsys.exe:*:enabled:LANDesk® CBA Message System"
"C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe"="C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe:*:enabled:Remote Control Agent"
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"="C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\XXXXXXXXX\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"="C:\\Documents and Settings\\XXXXXXXXX\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe:*:Enabled:Windows Live FolderShare Beta"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk® Management Agent"
"C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe"="C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe:*:Enabled:XDDClient"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\XXXXXXXXX\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=XXXXXXXXXXXX-NXP7529
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\XXXXXXXXX
LDMS_LOCAL_DIR=C:\Program Files\LANDesk\LDClient\Data
LOGONSERVER=\\XXXXXXXXXGDC03
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\XXXXX~1.OHO\LOCALS~1\Temp
TMP=C:\DOCUME~1\XXXXX~1.OHO\LOCALS~1\Temp
USERDNSDOMAIN=XXXXX.COM
USERDOMAIN=XXXXX
USERNAME=XXXXXXXXX
USERPROFILE=C:\Documents and Settings\XXXXXXXXX
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

XXXXXXXXX (admin)
robertsdadmin (admin)
AdministraXXXXXXXXX (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
--> MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
--> MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
--> MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
--> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
--> MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
AC3File (remove only) --> C:\Program Files\AC3File\uninstall.exe
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{786547F9-59BB-4FA3-B2D8-327FF1F14870}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Agere Systems HDA Modem --> agrsmdel
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AuthenTec Fingerprint Sensor Minimum Install --> MsiExec.exe /I{F42051C0-6158-4656-BEF4-C43D5C480DC0}
AVI Joiner --> "C:\Program Files\avijoin\unins000.exe"
BlackBerry Desktop Software 4.2.2 --> MsiExec.exe /i{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
BlackBerry Desktop Software 4.2.2 --> MsiExec.exe /I{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
Broadcom 802.11 Wireless LAN Adapter --> "C:\Program Files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Broadcom\Broadcom 802.11\Driver"
Broadcom NetXtreme Ethernet Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
coverXP (remove only) --> "C:\Program Files\coverXP\cxp-uninst.exe"
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DrillDraw version 6.1.3.5 --> MsiExec.exe /X{737FB382-23E4-480C-941F-A5726A2711D6}
Equitrac Office Client HF-152119 --> MsiExec.exe /I{CA5CC83C-BFBB-41F1-84E0-714102319CDB}
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
FolderMatch v3.4.8 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\FolderMatch\ST6UNST.LOG"
Foxit PDF CreaXXXXXXXXX --> C:\Program Files\Foxit Software\PDF CreaXXXXXXXXX\FPC_Uninstall.exe
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Garmin WebUpdater --> MsiExec.exe /X{366FFC89-C800-4366-B903-B9C4314109A5}
GEUS Event Log --> MsiExec.exe /X{C0393250-2835-4975-8450-EBAEEB93D17A}
GiPo@FileUtilities 3.2 --> MsiExec.exe /I{E2B64929-B616-4235-B10E-D26D686296F9}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Hackman Suite --> "C:\Program Files\TechnoLogismiki\Hackman\Uninstall.exe" "C:\Program Files\TechnoLogismiki\Hackman\install.log" -u
HijackThis 2.0.2 --> "C:\Documents and Settings\XXXXXXXXX\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Broadband Wireless Modules --> MsiExec.exe /X{773D6C77-4A5A-45C4-B4DE-3B6DAB4785BC}
HP Embedded Security for ProtectTools --> MsiExec.exe /I{4BA3DDD4-BC91-48B2-8896-7A02C34829D7}
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP ProtectTools Security Manager --> MsiExec.exe /I{2DB165DC-DDB4-403F-B985-19F3EC7D0357}
HP Quick Launch Buttons 6.40 B2 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0009 -removeonly uninst
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Intel® Graphics Media AcceleraXXXXXXXXX Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
jZip --> C:\Program Files\jZip\Uninstall.exe C:\PROGRA~1\jZip\UNWISE.EXE C:\PROGRA~1\jZip\INSTALL.LOG
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LANDesk Advance Agent --> MsiExec.exe /I{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}
LogMeIn --> MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Mail.com Alert --> C:\Program Files\mail.com\uninst.exe
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Mega Manager --> C:\Program Files\InstallShield Installation Information\{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Live Meeting 2007 --> MsiExec.exe /I{7DB92914-0A00-48C6-8DBB-F8E9D02B78B1}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{91510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 2005 Tools for Office Runtime --> MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 8 Micro v8.0.3.0 --> "C:\Program Files\Nero\unins000.exe"
NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\CXXXXXXXXX.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
O&O Defrag Professional Edition --> MsiExec.exe /I{53480330-E1D1-41CA-B8F8-7F78644F7F50}
OnStage DVD for Powerpoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\CXXXXXXXXX.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E98D76BD-AB31-4D3E-9EA3-5C9922191618}\Setup.exe" -l0x9
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Real Alternative 1.8.0 --> "C:\Program Files\Real Alternative\unins000.exe"
Replay Media Catcher --> "C:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:C:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
Replay Media Catcher --> C:\PROGRA~1\REPLAY~1\UNWISE.EXE C:\PROGRA~1\REPLAY~1\INSTALL.LOG
Roxio Media Manager --> MsiExec.exe /X{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
SlingPlayer --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{004B0DCB-4C60-465B-8F01-44B0A4111187} /l1033
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\CXXXXXXXXX.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
SWF & FLV Toolbox 3.5 (build 3.5.19.275) --> "C:\Program Files\Eltima Software\SWF & FLV Toolbox\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
SyncToy 2.0 Beta --> MsiExec.exe /I{F3666943-0411-41D1-8015-8B572B6E91A7}
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{48CF6549-B45D-4313-9927-EFCCC8A3493F} /l1033
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}\setup.exe -runfromtemp -l0x0409
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Ultra Mobile 3GP Video Converter 3.9.1120 --> "C:\Program Files\Ultra Mobile 3GP Video Converter\unins000.exe"
UltraISO Premium V8.66 --> "C:\Program Files\UltraISO\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb949037) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B4F188C6-6DBF-42A5-A8A3-3086D1A384F2}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual Studio 2005 Tools for Office Second Edition Runtime --> C:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
WebEx --> C:\PROGRA~1\MOZILL~1\plugins\atcliun.exe
WinAVIVideoConverter --> "C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSXXXXXXXXXE\RoundTable_F29D632BDCC1844B9B7688A0A4B4DA9E716B76FF\RoundTable.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live FolderShare Beta --> MsiExec.exe /X{FE434300-A311-4BE1-93BA-B74BC8C4017B}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
X1 --> "C:\Program Files\X1\X1.exe" -uninstall
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type14642 / Error
Event Submitted/Written: 06/11/2008 04:45:45 PM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.

Event Record #/Type14641 / Warning
Event Submitted/Written: 06/11/2008 04:45:45 PM
Event ID/Source: 1202 / SceCli
Event Description:
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".

Event Record #/Type14640 / Error
Event Submitted/Written: 06/11/2008 04:45:12 PM
Event ID/Source: 259 / McLogEvent
Event Description:
McAfee alerting interface unable to send alert to \\XXXXXXXXXapp64.na.corp.izzzz.com\pipe\AlertManager. Error returned = The system cannot find the file specified.

Event Record #/Type14638 / Error
Event Submitted/Written: 06/11/2008 04:44:03 PM
Event ID/Source: 259 / McLogEvent
Event Description:
McAfee alerting interface unable to send alert to \\XXXXXXXXXapp64.na.corp.zzzz.com\pipe\AlertManager. Error returned = The system cannot find the file specified.

Event Record #/Type14636 / Error
Event Submitted/Written: 06/11/2008 04:38:16 PM
Event ID/Source: 259 / McLogEvent
Event Description:
McAfee alerting interface unable to send alert to \\XXXXXXXXXapp64.na.corp.zzzzz.com\pipe\AlertManager. Error returned = The system cannot find the file specified.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type58116 / Warning
Event Submitted/Written: 06/11/2008 03:35:52 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns1.truenorth.com. No authentication protocol was available.

Event Record #/Type58113 / Warning
Event Submitted/Written: 06/11/2008 03:33:45 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.

Event Record #/Type58099 / Warning
Event Submitted/Written: 06/11/2008 03:10:32 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type58098 / Warning
Event Submitted/Written: 06/11/2008 03:07:57 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns1.truenorth.com. No authentication protocol was available.

Event Record #/Type58097 / Warning
Event Submitted/Written: 06/11/2008 03:07:57 PM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/ns1.truenorth.com. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e)".



-- End of Deckard's System Scanner: finished at 2008-06-11 17:07:34 ------------



Thanks :thumbsup:

Edited by bmillion, 12 June 2008 - 06:36 AM.


BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 05 July 2008 - 12:39 PM

Hello bmillion. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine)

We apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

If you still would like help, please follow the following instructions:

Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
Next
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please make sure the following reports are present:
  • The Kaspersky scan report
  • DSS's Main.txt
  • DSS's Extra.txt

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 bmillion

bmillion
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 06 July 2008 - 02:56 PM

Kapersky results:
Sunday, July 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, July 06, 2008 17:18:50
Records in database: 918686
Scan settings
Scan using the following database 	extended
Scan archives 	yes
Scan mail databases 	yes
Scan area 	My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 	56885
Threat name 	2
Infected objects 	2
Suspicious objects 	0
Duration of the scan 	01:35:41

File name 	Threat name 	Threats count
C:\Program Files\LANDesk\LDClient\PRODUKEY.EXE	Infected: not-a-virus:PSWTool.Win32.ProductKey.h	1	
D:\My Documents\SATS\OLDPLASTIC\_ROM10\Bev 3100 Tsop Flash And Rom10 Autoroll Only.zip

DSS Results
Deckard's System Scanner v20071014.68
Run by joe.smith on 2008-07-06 13:25:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System ResVNCRe --------------------------------------------------------------

System ResVNCRe is disabled; attempting to re-enable...failed; access is denied.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as joe.smith.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:53 PM, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe
C:\PROGRA~1\LANDesk\LDClient\collecVNCR.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\xddclient.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\PROGRA~1\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmoniVNCR.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\joe.smith\Local Settings\Application Data\FolderShare\FolderShare.exe
C:\DOCUME~1\joe~1.smt\LOCALS~1\Temp\tsc.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\joe.smith\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\joe.smith.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [LANDeskInvenVNCRyClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=NYCHAP01.intl.corp.myworknetwork.com:5007 /S=NYCHAP01.intl.corp.myworknetwork.com  /I=HTTP://NYCHAP01.intl.corp.myworknetwork.com/ldlogon/ldappl3.ldz /NOUI /rstart=60
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe"  /rstart=60
O4 - HKLM\..\Run: [SDClientMoniVNCR] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmoniVNCR.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\joe.smith\Local Settings\Application Data\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [tsc] C:\DOCUME~1\joe~1.smt\LOCALS~1\Temp\tsc.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: X1 System Tray.lnk = C:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
O4 - Global Startup: AuVNCRunsDisabled
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Documents and Settings\joe.smith\Desktop\port-oee492670\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Documents and Settings\joe.smith\Desktop\port-oee492670\Add_AllO.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intl.corp.myworknetwork.com
O17 - HKLM\Software\..\Telephony: DomainName = intl.corp.myworknetwork.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intl.corp.myworknetwork.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intl.corp.myworknetwork.com
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk(R) Extended device discovery service (LDXDD) - Unknown owner - C:\Program Files\LANDesk\LDClient\xddclient.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: LANDesk(R) Software MoniVNCRing Service (Softmon) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\softmon.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 13991 bytes

-- File Associations -----------------------------------------------------------

[COLOR=red].js - JSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*[/COLOR]
[COLOR=red].vbs - VBSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*[/COLOR]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ISODrive (ISO DVD/CD-ROM Device Driver) - c:\program files\ultraiso\drivers\isodrive.sys <Not Verified; EZB Systems, Inc.; ISODrive>
R2 DLPORTIO - c:\windows\dlportio.sys
R3 WOEM_3_2a (WinPcap Packet Driver (WOEM_3_2a)) - c:\windows\system32\drivers\woem_3_2a.sys (file missing)

S3 libusb0 (LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1) - c:\windows\system32\drivers\libusb0.sys
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys (file missing)
S3 TPPWRIF - c:\documents and settings\all users\application data\vulscan\tppwrif.sys
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CBA8 (LANDesk(R) Management Agent) - "c:\program files\landesk\shared files\residentagent.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk(R) Management Agent>
R2 IFXSpMgtSrv (Security Platform Management Service) - c:\windows\system32\ifxspmgt.exe <Not Verified; Infineon Technologies AG; Infineon TPM Software>
R2 IFXTCS (Trusted Platform Core Service) - c:\windows\system32\ifxtcs.exe <Not Verified; Infineon Technologies AG; Infineon TPM Software>
R2 Intel Local Scheduler Service - "c:\program files\landesk\ldclient\localsch.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; LANDesk Software Ltd.; Intel Common Base Agent>
R2 Intel Targeted Multicast (LANDesk Targeted Multicast) - c:\program files\landesk\ldclient\tmcsvc.exe <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 ISSUSER (LANDesk Remote Control Service) - c:\progra~1\landesk\ldclient\issuser.exe /service <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 LDXDD (LANDesk(R) Extended device discovery service) - "c:\program files\landesk\ldclient\xddclient.exe" <Not Verified;; LANDesk Software>
R2 Softmon (LANDesk(R) Software MoniVNCRing Service) - "c:\progra~1\landesk\ldclient\softmon.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000
Service: BTWDNDIS


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 760)
2006-03-03 16:08:36	434176 --a------ C:\WINDOWS\system32\IfxWlxEN.dll <Not Verified; Infineon Technologies AG; Infineon TPM Software>

C:\WINDOWS\explorer.exe (pid 3544)
2006-05-12 14:15:24	 65536 --a------ C:\WINDOWS\system32\BTNCopy.dll <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.3500>
2006-11-17 05:06:00	106496 --a------ C:\Program Files\McAfee\Common Framework\JrMac.dll <Not Verified; McAfee, Inc.; McAfee Common Framework>
2008-05-30 10:10:54	 49152 --a------ C:\Program Files\X1\X1Launch.dll


-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-06 13:27:40		 0 d-------- C:\Program Files\Trend Micro
2008-07-02 23:07:03		 0 d-------- C:\Program Files\ArmKeys
2008-06-25 15:03:04		 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-06-25 15:02:42		 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony Online Entertainment
2008-06-25 15:02:41		 0 d-------- C:\Program Files\Sony Online Entertainment
2008-06-19 12:21:50		 0 d-------- C:\Program Files\A-PDF Text ExtracVNCR
2008-06-19 12:19:39		 0 d-------- C:\Program Files\Freeware PDF Unlocker
2008-06-17 09:53:00	 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-06-17 09:53:00	 16512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-06-17 09:52:53		 0 d-------- C:\Program Files\ImTOO
2008-06-17 08:59:22		 0 d-------- C:\Documents and Settings\joe.smith\.dvdcss
2008-06-17 08:59:10		 0 d-------- C:\Program Files\Ultra DVD Ripper
2008-06-17 08:40:49		 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-17 08:40:48		 0 d-------- C:\Program Files\DVD Shrink
2008-06-12 08:25:35		 0 d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-12 07:43:38		 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-12 07:43:34		 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-12 07:43:34		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\SUPERAntiSpyware.com
2008-06-11 09:26:29		 0 dr-h----- C:\Documents and Settings\joe.smith\Recent
2008-06-11 08:26:29		 0 d-------- C:\WINDOWS\Replay Media Catcher
2008-06-10 15:35:19	 19968 --a------ C:\WINDOWS\system32\avutil-49.dll
2008-06-10 15:35:18	448512 --a------ C:\WINDOWS\system32\avformat-50.dll
2008-06-10 15:35:18   3345408 --a------ C:\WINDOWS\system32\avcodec-51.dll
2008-06-10 15:35:18		 0 d-------- C:\Program Files\Common Files\Eltima Shared
2008-06-10 15:35:16		 0 d-------- C:\Program Files\Eltima Software
2008-06-10 15:09:52		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\Eltima Software
2008-06-10 15:09:50		 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 14:52:04		 0 d-------- C:\Program Files\Real Alternative
2008-06-10 14:52:04		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\Real
2008-06-10 14:52:04		 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-06-10 14:49:32		 0 d-------- C:\Program Files\WinAVIVideoConverter
2008-06-09 10:05:04		 0 d-------- C:\Program Files\Replay Media Catcher


-- Find3M Report ---------------------------------------------------------------

2008-07-06 04:00:22		 0 d-------- C:\Program Files\LogMeIn
2008-07-04 21:13:12	   256 --a----c- C:\WINDOWS\system32\pool.bin
2008-07-02 23:08:47	286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-06-17 09:53:54		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\dvdcss
2008-06-12 08:31:04		 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 08:29:16		 0 d-------- C:\Program Files\Common Files
2008-06-12 08:28:11		 0 d-------- C:\Program Files\DivX
2008-06-12 08:12:23		 0 d-------- C:\Program Files\mail.com
2008-06-10 10:58:11		 0 d-------- C:\Program Files\Windows Desktop Search
2008-06-10 09:57:12		 0 d-------- C:\Program Files\WMR11
2008-06-10 09:55:00	 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2008-06-05 12:01:44		 0 d-------- C:\Program Files\Ultra Mobile 3GP Video Converter
2008-06-03 17:37:43		 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-03 12:34:24		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\Roxio
2008-06-03 10:24:06		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\Blackberry Desktop
2008-06-03 10:22:35		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\Research In Motion
2008-06-03 10:16:57		 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-03 10:15:40		 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-03 10:15:27		 0 d-------- C:\Program Files\Roxio
2008-06-03 10:11:15		 0 d-------- C:\Program Files\Common Files\Research In Motion
2008-06-03 07:51:53		 0 d-------- C:\Program Files\WinMX
2008-06-03 07:50:45		 0 d-------- C:\Program Files\Java
2008-06-03 07:50:06		 0 d-------- C:\Program Files\Google
2008-06-01 10:35:50		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\SuperBot
2008-05-31 16:29:02		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\WebStripper
2008-05-31 16:15:32		 0 d-------- C:\Program Files\Solent
2008-05-30 22:49:13		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\Adobe
2008-05-30 22:43:15		 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-30 21:53:41		 0 d-------- C:\Program Files\CamStudio
2008-05-30 10:11:12		 0 d-------- C:\Program Files\Stellant
2008-05-30 10:11:04		 0 d-------- C:\Program Files\X1
2008-05-26 16:58:29		 0 d-------- C:\Program Files\infallsoft
2008-05-21 14:22:06		 0 d-------- C:\Program Files\AT&W
2008-05-21 14:09:22		 0 d-------- C:\Program Files\Windows Media Components
2008-05-21 14:06:32		 0 d-------- C:\Program Files\Visible Light
2008-05-21 14:06:31		 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 10:20:24		 0 d-------- C:\Documents and Settings\joe.smith\Application Data\Apple Computer
2008-04-08 08:33:02	   760 --a----c- C:\WINDOWS\system32\install_dlportio.bat
2008-04-08 08:33:01	   176 --a----c- C:\WINDOWS\system32\status_dlportio.bat
2008-04-08 08:33:00	 27460 --a----c- C:\WINDOWS\system32\loaddrv.exe
2008-04-08 08:33:00	 34816 --a----c- C:\WINDOWS\system32\Dlportio.dll <Not Verified; Scientific Software Tools, Inc.; DriverLINX Port I/O Driver>
2008-04-08 08:33:00	  3584 --a----c- C:\WINDOWS\Dlportio.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LANDeskInvenVNCRyClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [04/01/2008 07:39 PM]
"LANDeskVulscanClient"="C:\Program Files\LANDesk\LDClient\vulScan.exe" [05/02/2008 10:32 AM]
"SDClientMoniVNCR"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmoniVNCR.exe" [29/11/2007 11:40 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [14/09/2007 10:32 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [14/09/2007 10:32 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [14/09/2007 08:29 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 05:22 PM]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [11/05/2007 03:08 AM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 05:06 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [13/07/2006 09:12 AM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [03/08/2007 04:09 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [05/01/2007 06:36 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [16/10/2007 08:50 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [08/05/2007 04:24 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 AM]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [23/04/2007 11:43 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [11/09/2006 05:40 AM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [18/04/2008 11:16 AM]
"Windows Live FolderShare"="C:\Documents and Settings\joe.smith\Local Settings\Application Data\FolderShare\FolderShare.exe" [15/04/2008 02:15 PM]
"tsc"="C:\DOCUME~1\joe~1.smt\LOCALS~1\Temp\tsc.exe" []

C:\Documents and Settings\joe.smith\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [02/10/2007 1:16:42 PM]
X1 System Tray.lnk - C:\Program Files\X1\X1Systray.exe [30/05/2008 10:10:54 AM]
X1.lnk - C:\Program Files\X1\X1.exe [30/05/2008 10:10:54 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [02/10/2007 1:16:42 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideShutdownScripts"=1 (0x1)
"RunLogonScriptSync"=1 (0x1)
"HideStartupScripts"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=1 (0x1)
"HideLogoffScripts"=1 (0x1)
"RunLogonScriptSync"=1 (0x1)
"HideLogonScripts"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"Intellimenus"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN] 
IfxWlxEN.dll 03/03/2006 04:08 PM 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 
LMIinit.dll 19/05/2008 03:23 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=NALDAgent_Shutdown_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=NALDAgent_Startup_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\intl.corp.myworknetwork.com\SysVol\intl.corp.myworknetwork.com\scripts\VNCR\3000Bays\MCL\startup\global_startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\1]
"Script"=\\intl.corp.myworknetwork.com\SysVol\intl.corp.myworknetwork.com\scripts\VNCR\3000Bays\MCL\startup\borealis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\2]
"Script"=\\VNCRzzz61\apps\EQUITRAC\setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\3]
"Script"=\\VNCRzzz61\apps\KB903234\install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=TZMove.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=LD_InvenVNCRy_v1.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\0\0]
"Script"=\\intl.corp.myworknetwork.com\SysVol\intl.corp.myworknetwork.com\scripts\Outlook_2003_Registry_Fixes.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\0]
"Script"=\\intl.corp.myworknetwork.com\netlogon\VNCR\3000Bays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\1]
"Script"=\\intl.corp.myworknetwork.com\netlogon\VNCR\3000Bays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\2]
"Script"=\\intl.corp.myworknetwork.com\SysVol\intl.corp.myworknetwork.com\scripts\VNCR\3000Bays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\3]
"Script"=\\intl.corp.myworknetwork.com\NETLOGON\VNCR\3000Bays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\0]
"Script"=\\intl.corp.myworknetwork.com\netlogon\VNCR\3000Bays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\1]
"Script"=\\intl.corp.myworknetwork.com\netlogon\VNCR\3000Bays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\2]
"Script"=\\intl.corp.myworknetwork.com\SysVol\intl.corp.myworknetwork.com\scripts\VNCR\3000Bays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\3]
"Script"=\\intl.corp.myworknetwork.com\NETLOGON\VNCR\3000Bays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad784fea-31a2-11dd-bf2e-001641b9b85d}]
AuVNCRun\command- G:\_MyPendrive\MyPendrive.exe
MyPendrive\command- G:\_MyPendrive\MyPendrive.exe
progr0\command- G:\CD_ROOT\CD_Start.exe




-- End of Deckard's System Scanner: finished at 2008-07-06 13:31:35 ------------

Dss Extra txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU		   T2400  @ 1.83GHz
CPU 1: Genuine Intel(R) CPU		   T2400  @ 1.83GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 2039.36 MiB / 1257.32 MiB
Pagefile Memory (total/avail): 2926.32 MiB / 2353.28 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1902.09 MiB

C: is Fixed (NTFS) - 18.63 GiB total, 8.68 GiB free. 
D: is Fixed (NTFS) - 37.27 GiB total, 14.66 GiB free. 
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST96812AS - 55.9 GiB - 2 partitions
  \PARTITION0 (bootable) - Installable File System - 18.63 GiB - C:
  \PARTITION1 - Installable File System - 37.27 GiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\cba\\pds.exe"="C:\\WINDOWS\\system32\\CBA\\pds.exe:*:enabled:LANDesk(R) Ping Discovery Service"
"C:\\WINDOWS\\system32\\msgsys.exe"="C:\\WINDOWS\\system32\\msgsys.exe:*:Enabled:LANDesk Message Service"
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"="C:\\Program Files\\LANDesk\\LDClient\\issuser.exe:*:Enabled:LANDesk Remote Control Agent"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:enabled:LANDesk(R) Targeted Multicast Client"
"%windir%\\system32\\msgsys.exe"="%windir%\\system32\\msgsys.exe:*:enabled:LANDesk(R) CBA Message System"
"C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe"="C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe:*:enabled:Remote Control Agent"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Documents and Settings\\joe.smith\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"="C:\\Documents and Settings\\joe.smith\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe:*:Enabled:Windows Live FolderShare Beta"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk(R) Management Agent"
"C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe"="C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe:*:Enabled:XDDClient"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\CBA\\pds.exe"="C:\\WINDOWS\\system32\\CBA\\pds.exe:*:enabled:LANDesk(R) Ping Discovery Service"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:enabled:LANDesk(R) Targeted Multicast Client"
"%windir%\\system32\\msgsys.exe"="%windir%\\system32\\msgsys.exe:*:enabled:LANDesk(R) CBA Message System"
"C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe"="C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe:*:enabled:Remote Control Agent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\joe.smith\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"="C:\\Documents and Settings\\joe.smith\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe:*:Enabled:Windows Live FolderShare Beta"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk(R) Management Agent"
"C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe"="C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe:*:Enabled:XDDClient"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\joe.smith\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=vncrltd-NXP7529
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\joe.smith
LDMS_LOCAL_DIR=C:\Program Files\LANDesk\LDClient\Data
LOGONSERVER=\\TORGDC03
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\joe~1.smt\LOCALS~1\Temp
TMP=C:\DOCUME~1\joe~1.smt\LOCALS~1\Temp
USERDNSDOMAIN=intl.corp.mynetwork.COM
USERDOMAIN=IPGNA
USERNAME=joe.smith
USERPROFILE=C:\Documents and Settings\joe.smith
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

joe.smith [I](admin)[/I]
robertsdadmin [I](admin)[/I]
Administrator [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
 --> MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
 --> MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
 --> MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
 --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
 --> MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
A-PDF Text Extractor 1.1 --> "C:\Program Files\A-PDF Text Extractor\unins000.exe"
AC3File (remove only) --> C:\Program Files\AC3File\uninstall.exe
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{786547F9-59BB-4FA3-B2D8-327FF1F14870}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Agere Systems HDA Modem --> agrsmdel
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
ArmKeys --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ArmKeys\ST6UNST.LOG"  
ArmKeys (C:\Program Files\ArmKeys\) --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ArmKeys\ST6UNST.000"  
ArmKeys (C:\Program Files\ArmKeys\) #3 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ArmKeys\ST6UNST.001"  
AuthenTec Fingerprint Sensor Minimum Install --> MsiExec.exe /I{F42051C0-6158-4656-BEF4-C43D5C480DC0}
BlackBerry Desktop Software 4.2.2 --> MsiExec.exe /i{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
BlackBerry Desktop Software 4.2.2 --> MsiExec.exe /I{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
Broadcom 802.11 Wireless LAN Adapter --> "C:\Program Files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Broadcom\Broadcom 802.11\Driver"
Broadcom NetXtreme Ethernet Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
coverXP (remove only) --> "C:\Program Files\coverXP\cxp-uninst.exe"
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
DrillDraw version 6.1.3.5 --> MsiExec.exe /X{737FB382-23E4-480C-941F-A5726A2711D6}
DVD Ripper Platinum 4 --> C:\Program Files\ImTOO\DVD Ripper Platinum 4\Uninstall.exe
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Equitrac Office Client HF-152119 --> MsiExec.exe /I{CA5CC83C-BFBB-41F1-84E0-714102319CDB}
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
FolderMatch v3.4.8 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\FolderMatch\ST6UNST.LOG"  
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Garmin WebUpdater --> MsiExec.exe /X{366FFC89-C800-4366-B903-B9C4314109A5}
GEUS Event Log --> MsiExec.exe /X{C0393250-2835-4975-8450-EBAEEB93D17A}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Hackman Suite --> "C:\Program Files\TechnoLogismiki\Hackman\Uninstall.exe" "C:\Program Files\TechnoLogismiki\Hackman\install.log" -u
HijackThis 2.0.2 --> "C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Broadband Wireless Modules --> MsiExec.exe /X{773D6C77-4A5A-45C4-B4DE-3B6DAB4785BC}
HP Embedded Security for ProtectTools --> MsiExec.exe /I{4BA3DDD4-BC91-48B2-8896-7A02C34829D7}
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP ProtectTools Security Manager --> MsiExec.exe /I{2DB165DC-DDB4-403F-B985-19F3EC7D0357}
HP Quick Launch Buttons 6.40 B2 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0009 -removeonly uninst
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
jZip --> C:\Program Files\jZip\Uninstall.exe C:\PROGRA~1\jZip\UNWISE.EXE C:\PROGRA~1\jZip\INSTALL.LOG
LANDesk Advance Agent --> MsiExec.exe /I{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}
LogMeIn --> MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Mail.com Alert --> C:\Program Files\mail.com\uninst.exe
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Mega Manager --> C:\Program Files\InstallShield Installation Information\{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{91510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 2005 Tools for Office Runtime --> MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Mozilla Firefox (2.0.0.15) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 8 Micro v8.0.3.0 --> "C:\Program Files\Nero\unins000.exe"
NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe"  -uninst 
O&O Defrag Professional Edition --> MsiExec.exe /I{53480330-E1D1-41CA-B8F8-7F78644F7F50}
OnStage DVD for Powerpoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E98D76BD-AB31-4D3E-9EA3-5C9922191618}\Setup.exe" -l0x9 
Q-bert (remove only) --> "C:\Program Files\Sony Online Entertainment\Q-bert\Uninstall Q-bert.exe"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033 
Real Alternative 1.8.0 --> "C:\Program Files\Real Alternative\unins000.exe"
Replay Media Catcher --> "C:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:C:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
Replay Media Catcher --> "C:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:C:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
Roxio Media Manager --> MsiExec.exe /X{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
SlingPlayer --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{004B0DCB-4C60-465B-8F01-44B0A4111187} /l1033 
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9  -removeonly
SWF & FLV Toolbox 3.5 (build 3.5.19.275) --> "C:\Program Files\Eltima Software\SWF & FLV Toolbox\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
SyncToy 2.0 Beta --> MsiExec.exe /I{F3666943-0411-41D1-8015-8B572B6E91A7}
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{48CF6549-B45D-4313-9927-EFCCC8A3493F} /l1033 
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}\setup.exe -runfromtemp -l0x0409
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Ultra Mobile 3GP Video Converter 3.9.1120 --> "C:\Program Files\Ultra Mobile 3GP Video Converter\unins000.exe"
UltraISO Premium V8.66 --> "C:\Program Files\UltraISO\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb949037) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B4F188C6-6DBF-42A5-A8A3-3086D1A384F2}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual Studio 2005 Tools for Office Second Edition Runtime --> C:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
WinAVIVideoConverter --> "C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live FolderShare Beta --> MsiExec.exe /X{FE434300-A311-4BE1-93BA-B74BC8C4017B}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
X1 --> "C:\Program Files\X1\X1.exe" -uninstall
XML Paper Specification Shared Components Pack 1.0 --> 


-- Application Event Log -------------------------------------------------------

Event Record #/Type15589 / Error
Event Submitted/Written: 07/06/2008 01:13:48 PM
Event ID/Source: 25 / Inventory Scanner
Event Description:
LDIScn32: Failed to resolve the Host Name.

Event Record #/Type15586 / Error
Event Submitted/Written: 07/06/2008 00:58:39 PM
Event ID/Source: 25 / Inventory Scanner
Event Description:
LDIScn32: Failed to resolve the Host Name.

Event Record #/Type15585 / Error
Event Submitted/Written: 07/06/2008 00:58:09 PM
Event ID/Source: 25 / Inventory Scanner
Event Description:
LDIScn32: Failed to resolve the Host Name.

Event Record #/Type15582 / Error
Event Submitted/Written: 07/06/2008 11:26:49 AM
Event ID/Source: 25 / Inventory Scanner
Event Description:
LDIScn32: Failed to resolve the Host Name.

Event Record #/Type15577 / Error
Event Submitted/Written: 07/06/2008 11:04:35 AM
Event ID/Source: 25 / Inventory Scanner
Event Description:
LDIScn32: Failed to resolve the Host Name.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type84867 / Error
Event Submitted/Written: 07/06/2008 01:31:30 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type84866 / Warning
Event Submitted/Written: 07/06/2008 01:31:30 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type84865 / Warning
Event Submitted/Written: 07/06/2008 01:31:30 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Gigabit Ethernet: The network link is down.  Check to make sure the network cable is properly connected.

Event Record #/Type84833 / Error
Event Submitted/Written: 07/06/2008 01:13:29 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type84832 / Warning
Event Submitted/Written: 07/06/2008 01:13:29 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.



-- End of Deckard's System Scanner: finished at 2008-07-06 13:31:35 ------------

Thanks Bill

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 11 July 2008 - 07:01 AM

Hello, I'm so sorry. I have no idea how I missed your reply. I'm taking a look at your logs right now :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 bmillion

bmillion
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 11 July 2008 - 09:24 AM

Thanks Bill :thumbsup:

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 13 July 2008 - 12:25 PM

Hello, Bmillion.

It appears that both your logs have been altered in some way. In the first log, many places have been changed to XXXXXXXXXXXX, and in the second log, many places repeat joe.smith over and over. Some places in the logs appear to say VNC over and over and over again.

Do you know what's going on here?

Also, is this a business machine?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 bmillion

bmillion
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 13 July 2008 - 03:10 PM

yeah bill. I altered them. If my company finds out, I'm in big doodoo.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 14 July 2008 - 06:42 PM

Hello, bmillion.

Alright. Just know that I can't guarantee anything if you have modified an important line.
You should also note the following:
All information and instructions given within these forums is to be used at your own risk. By following or using any of this information you give up the right to hold BleepingComputer.com liable for any damages.

We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 14 July 2008 - 06:43 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 bmillion

bmillion
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 15 July 2008 - 01:01 PM

Combofix log:

ComboFix 08-07-14.2 - joe.smith 2008-07-15 13:22:45.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1368 [GMT -4:00]
Running from: C:\Documents and Settings\joe.smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joe.smith\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://VNCRapp61
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


(((((((((((((((((((((((((   Files Created from 2008-06-15 to 2008-07-15  )))))))))))))))))))))))))))))))
.

2008-07-15 13:26 . 2008-07-15 13:26	90,112	--a------	C:\WINDOWS\system32\WOEM_3_2awoem.tmp
2008-07-14 13:11 . 2008-07-14 13:11	<DIR>	d--------	C:\Documents and Settings\joe.smith\Application Data\AQUATRA
2008-07-14 12:14 . 2008-07-14 12:14	<DIR>	d--------	C:\Program Files\XnView
2008-07-14 12:14 . 2008-07-14 12:15	<DIR>	d--------	C:\Documents and Settings\joe.smith\Application Data\XnView
2008-07-13 16:57 . 2008-07-14 08:03	<DIR>	d--------	C:\Program Files\Magic MP3 Tagger
2008-07-13 16:15 . 2008-07-13 18:31	<DIR>	d--------	C:\Program Files\MediaMonkey
2008-07-13 16:03 . 2008-07-13 18:54	<DIR>	d--------	C:\Documents and Settings\joe.smith\Application Data\LimeWire
2008-07-13 16:03 . 2008-07-13 16:03	<DIR>	d--------	C:\Documents and Settings\joe.smith\.limewire
2008-07-13 16:02 . 2008-07-13 16:02	<DIR>	d--------	C:\Program Files\LimeWire
2008-07-06 13:27 . 2008-07-06 13:27	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-01 18:38 . 2008-07-01 18:38	268	--ah-----	C:\sqmdata00.sqm
2008-07-01 18:38 . 2008-07-01 18:38	244	--ah-----	C:\sqmnoopt00.sqm
2008-06-25 15:03 . 2008-06-25 15:03	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Trymedia
2008-06-25 15:02 . 2008-06-25 15:02	<DIR>	d--------	C:\Program Files\Sony Online Entertainment
2008-06-25 15:02 . 2008-06-25 15:02	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Sony Online Entertainment
2008-06-19 12:21 . 2008-06-19 12:21	<DIR>	d--------	C:\Program Files\A-PDF Text ExtracVNCR
2008-06-19 12:19 . 2008-06-19 12:22	<DIR>	d--------	C:\Program Files\Freeware PDF Unlocker
2008-06-17 09:53 . 2005-11-21 01:48	45,056	--a------	C:\WINDOWS\system32\WNASPI32.DLL
2008-06-17 09:53 . 2005-11-21 01:48	16,512	--a------	C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-06-17 09:52 . 2008-06-17 09:52	<DIR>	d--------	C:\Program Files\ImTOO
2008-06-17 08:59 . 2008-06-17 09:51	<DIR>	d--------	C:\Program Files\Ultra DVD Ripper
2008-06-17 08:59 . 2008-06-17 09:08	<DIR>	d--------	C:\Documents and Settings\joe.smith\.dvdcss
2008-06-17 08:40 . 2008-06-17 08:40	<DIR>	d--------	C:\Program Files\DVD Shrink
2008-06-17 08:40 . 2008-06-17 08:41	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-17 08:34 . 2008-06-17 08:36	172	--a------	C:\WINDOWS\system32\test.aok

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 17:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\vulScan
2008-07-15 12:12	---------	d-----w	C:\Program Files\LogMeIn
2008-07-14 17:18	---------	d-----w	C:\Program Files\Replay Media Catcher
2008-07-14 17:15	---------	d-----w	C:\Program Files\DrillDraw 6
2008-07-07 01:37	---------	d-----w	C:\Program Files\mail.com
2008-07-03 03:08	286,720	------w	C:\WINDOWS\Setup1.exe
2008-06-17 13:53	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\dvdcss
2008-06-12 12:31	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-06-12 12:31	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\SUPERAntiSpyware.com
2008-06-12 12:28	---------	d-----w	C:\Program Files\DivX
2008-06-12 12:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-12 11:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-10 19:36	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Eltima Software
2008-06-10 19:35	---------	d-----w	C:\Program Files\Eltima Software
2008-06-10 19:35	---------	d-----w	C:\Program Files\Common Files\Eltima Shared
2008-06-10 19:33	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 18:52	---------	d-----w	C:\Program Files\Real Alternative
2008-06-10 18:49	---------	d-----w	C:\Program Files\WinAVIVideoConverter
2008-06-10 14:58	---------	d-----w	C:\Program Files\Windows Desktop Search
2008-06-10 13:57	---------	d-----w	C:\Program Files\WMR11
2008-06-06 18:25	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-06-06 18:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 16:01	---------	d-----w	C:\Program Files\Ultra Mobile 3GP Video Converter
2008-06-03 21:37	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-06-03 16:34	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Roxio
2008-06-03 16:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-03 16:04	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-03 14:24	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Blackberry Desktop
2008-06-03 14:22	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Research In Motion
2008-06-03 14:16	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2008-06-03 14:15	---------	d-----w	C:\Program Files\Roxio
2008-06-03 14:15	---------	d-----w	C:\Program Files\Common Files\Roxio Shared
2008-06-03 14:11	---------	d-----w	C:\Program Files\Common Files\Research In Motion
2008-06-03 11:51	---------	d-----w	C:\Program Files\WinMX
2008-06-03 11:50	---------	d-----w	C:\Program Files\Java
2008-06-03 11:50	---------	d-----w	C:\Program Files\Google
2008-06-01 14:35	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\SuperBot
2008-05-31 20:29	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\WebStripper
2008-05-31 20:15	---------	d-----w	C:\Program Files\Solent
2008-05-31 02:43	---------	d-----w	C:\Program Files\Common Files\Macrovision Shared
2008-05-31 01:53	---------	d-----w	C:\Program Files\CamStudio
2008-05-30 14:11	---------	d-----w	C:\Program Files\X1
2008-05-30 14:11	---------	d-----w	C:\Program Files\Stellant
2008-05-26 20:58	---------	d-----w	C:\Program Files\infallsoft
2008-05-21 18:22	---------	d-----w	C:\Program Files\AT&W
2008-05-21 18:09	---------	d-----w	C:\Program Files\Windows Media Components
2008-05-21 18:06	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-05-21 18:06	---------	d-----w	C:\Program Files\Visible Light
2008-05-21 14:20	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Apple Computer
2008-01-04 18:08	13	-c--a-w	C:\Program Files\borealisuser.config
2007-08-09 18:08	8,784	-c--a-w	C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10	245,408	-c--a-w	C:\Program Files\mozilla firefox\plugins\unicows.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-18 11:16 160592]
"Windows Live FolderShare"="C:\Documents and Settings\joe.smith\Local Settings\Application Data\FolderShare\FolderShare.exe" [2008-04-15 14:15 925728]
"Mail.com"="C:\Program Files\mail.com\mcalert.exe" [2007-06-25 04:14 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LANDeskInvenVNCRyClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [2008-01-04 19:39 1024000]
"LANDeskVulscanClient"="C:\Program Files\LANDesk\LDClient\vulScan.exe" [2008-02-05 10:32 1118208]
"SDClientMoniVNCR"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmoniVNCR.exe" [2007-11-29 11:40 262144]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-14 10:32 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-14 10:32 166424]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 20:29 102400]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 03:08 2512392]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 05:06 136768]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 18:36 872448]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 20:50 111952]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]

C:\Documents and Settings\joe.smith\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 13:16:42 1283608]
X1 System Tray.lnk - C:\Program Files\X1\X1Systray.exe [2008-05-30 10:10:54 88064]
X1.lnk - C:\Program Files\X1\X1.exe [2008-05-30 10:10:54 14037784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 13:16:42 1283608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"HideShutdownScripts"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"Intellimenus"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 16:08 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\[u]0[/u]\[u]0[/u]]
"Script"=NALDAgent_Shutdown_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=NALDAgent_Startup_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\VNCR\3000bays\MCL\startup\global_startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\1]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\VNCR\3000bays\MCL\startup\borealis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\2]
"Script"=\\VNCRzzz61\apps\EQUITRAC\setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\3]
"Script"=\\VNCRzzz61\apps\KB903234\install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\[u]0[/u]]
"Script"=TZMove.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\[u]0[/u]]
"Script"=LD_InvenVNCRy_v1.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\Outlook_2003_Registry_Fixes.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\netlogon\VNCR\3000bays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\1]
"Script"=\\intl.corp.mynetwork.com\netlogon\VNCR\3000bays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\2]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\VNCR\3000bays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\3]
"Script"=\\intl.corp.mynetwork.com\NETLOGON\VNCR\3000bays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\netlogon\VNCR\3000bays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\1]
"Script"=\\intl.corp.mynetwork.com\netlogon\VNCR\3000bays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\2]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\VNCR\3000bays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\3]
"Script"=\\intl.corp.mynetwork.com\NETLOGON\VNCR\3000bays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\CBA\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\joe.smith\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk(R) PXE TCP Port
"67:UDP"= 67:UDP:LANDesk(R) PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk(R) Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk(R) Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2005-11-29 17:56]
R2 CBA8;LANDesk(R) Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 12:03]
R2 DLPORTIO;DLPORTIO;C:\WINDOWS\DLPORTIO.sys [2008-04-08 08:33]
R2 EQSharedEngine;EQ Shared Engine;C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe [2007-07-25 16:31]
R2 LDXDD;LANDesk(R) Extended device discovery service;C:\Program Files\LANDesk\LDClient\xddclient.exe [2007-04-17 07:19]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 Softmon;LANDesk(R) Software MoniVNCRing Service;C:\PROGRA~1\LANDesk\LDClient\softmon.exe [2007-11-15 12:50]
R2 SWIHPWMI;SWIHPWMI;C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 17:13]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 18:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 12:19]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 18:48]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 18:48]
R3 WOEM_3_2a;WinPcap Packet Driver (WOEM_3_2a);C:\WINDOWS\system32\drivers\WOEM_3_2a.sys []
S3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 18:48]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2005-03-09 11:50]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 TPPWRIF;TPPWRIF;C:\Documents and Settings\All Users\Application Data\vulScan\TPPWRIF.sys [2006-09-21 17:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad784fea-31a2-11dd-bf2e-001641b9b85d}]
\Shell\AuVNCRun\command - G:\_MyPendrive\MyPendrive.exe
\Shell\MyPendrive\command - G:\_MyPendrive\MyPendrive.exe
\Shell\progr0\command - G:\CD_ROOT\CD_Start.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detecVNCR by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 13:26:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\PROGRA~1\LANDesk\LDClient\collecVNCR.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Program Files\LANDesk\LDClient\SoftMon.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-07-15 13:31:00 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-15 17:30:48

Pre-Run: 9,033,601,024 bytes free
Post-Run: 8,997,060,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

288	--- E O F ---	2008-04-01 21:32:32

Was not able to shut AV down.

Thanks Bill

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 15 July 2008 - 01:35 PM

Hello, bmillion.
I do note: If I give you any scripts, you have to REVERSE whatever find and replace you're doing on these logs. I can't point the tools in the right direction if the logs have been tampered with. Also note that I can't make any promises about this machine with altered logs. Garbage in, garbage out.

Stuff like this:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\0\1]
"Script"=\\intl.corp.mynetwork.com\netlogon\VNCR\3000bays\MCL\logon\firefox\firefox_install.exe

Where half the entries in the lines have had replacements are difficult or impossible for me to diagnose correctly.

Just an FYI modification of your logs is a really bad idea. It's not like your company's IT Department spends hours and hours combing BC.com for their employees.

You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Limewire). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

You appear to have Remote Control application(s) installed
In your case, this is refering to:
LogMeIn
Remote control programs allow complete control of your machine as if you are sitting in front of it, even if you are in some distant location. While this can be a good thing, we need to make sure that this software was installed for a benign purpose, and not for a malicious one. If an attacker installed one of these programs, it would allow them to remotely control your computer, steal critical system information and download and execute files.

If you have this application installed on purpose, than you can safely ignore this warning. But if you didn't install these applications, please remove them from Add/Remove Programs now.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    AND REPLACE joe.smith with what it really is!!
    http://www.bleepingcomputer.com/forums/t/151717/please-review-my-logs-not-sure-if-i-have-a-bug/
    
    suspect::[54]
    C:\WINDOWS\Setup1.exe
    C:\WINDOWS\DLPORTIO.sys
    C:\ComboFix.txt
    
    dirlook::
    C:\Documents and Settings\joe.smith\Application Data\SuperBot
    C:\Documents and Settings\joe.smith\Application Data\WebStripper
    
    driver::
    WOEM_3_2a
    NSNDIS5
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 bmillion

bmillion
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 15 July 2008 - 03:18 PM

Re-Run as you suggested.

I hear you on Limewire. I've just started to play with it.

Also logmein is on purpose. I have used it over the past year. I appreciate your feedback on it.

ComboFix 08-07-14.2 - joe.smith 2008-07-15 15:47:08.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1455 [GMT -4:00]
Running from: C:\Documents and Settings\joe.smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joe.smith\Desktop\CFScript.txt
 * Created a new restore point
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NSNDIS5
-------\Legacy_WOEM_3_2A
-------\Service_NSNDIS5
-------\Service_WOEM_3_2a


(((((((((((((((((((((((((   Files Created from 2008-06-15 to 2008-07-15  )))))))))))))))))))))))))))))))
.

2008-07-15 15:51 . 2008-07-15 15:51	90,112	--a------	C:\WINDOWS\system32\WOEM_3_2awoem.tmp
2008-07-14 13:11 . 2008-07-14 13:11	<DIR>	d--------	C:\Documents and Settings\joe.smith\Application Data\AQUATRA
2008-07-14 12:14 . 2008-07-14 12:14	<DIR>	d--------	C:\Program Files\XnView
2008-07-14 12:14 . 2008-07-14 12:15	<DIR>	d--------	C:\Documents and Settings\joe.smith\Application Data\XnView
2008-07-13 16:57 . 2008-07-14 08:03	<DIR>	d--------	C:\Program Files\Magic MP3 Tagger
2008-07-13 16:15 . 2008-07-13 18:31	<DIR>	d--------	C:\Program Files\MediaMonkey
2008-07-13 16:03 . 2008-07-13 18:54	<DIR>	d--------	C:\Documents and Settings\joe.smith\Application Data\LimeWire
2008-07-13 16:03 . 2008-07-13 16:03	<DIR>	d--------	C:\Documents and Settings\joe.smith\.limewire
2008-07-13 16:02 . 2008-07-13 16:02	<DIR>	d--------	C:\Program Files\LimeWire
2008-07-06 13:27 . 2008-07-06 13:27	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-01 18:38 . 2008-07-01 18:38	268	--ah-----	C:\sqmdata00.sqm
2008-07-01 18:38 . 2008-07-01 18:38	244	--ah-----	C:\sqmnoopt00.sqm
2008-06-25 15:03 . 2008-06-25 15:03	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Trymedia
2008-06-25 15:02 . 2008-06-25 15:02	<DIR>	d--------	C:\Program Files\Sony Online Entertainment
2008-06-25 15:02 . 2008-06-25 15:02	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Sony Online Entertainment
2008-06-19 12:21 . 2008-06-19 12:21	<DIR>	d--------	C:\Program Files\A-PDF Text Extractor
2008-06-19 12:19 . 2008-06-19 12:22	<DIR>	d--------	C:\Program Files\Freeware PDF Unlocker
2008-06-17 09:53 . 2005-11-21 01:48	45,056	--a------	C:\WINDOWS\system32\WNASPI32.DLL
2008-06-17 09:53 . 2005-11-21 01:48	16,512	--a------	C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-06-17 09:52 . 2008-06-17 09:52	<DIR>	d--------	C:\Program Files\ImTOO
2008-06-17 08:59 . 2008-06-17 09:51	<DIR>	d--------	C:\Program Files\Ultra DVD Ripper
2008-06-17 08:59 . 2008-06-17 09:08	<DIR>	d--------	C:\Documents and Settings\joe.smith\.dvdcss
2008-06-17 08:40 . 2008-06-17 08:40	<DIR>	d--------	C:\Program Files\DVD Shrink
2008-06-17 08:40 . 2008-06-17 08:41	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-17 08:34 . 2008-06-17 08:36	172	--a------	C:\WINDOWS\system32\test.aok

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 19:50	---------	d-----w	C:\Documents and Settings\All Users\Application Data\vulScan
2008-07-15 12:12	---------	d-----w	C:\Program Files\LogMeIn
2008-07-14 17:18	---------	d-----w	C:\Program Files\Replay Media Catcher
2008-07-14 17:15	---------	d-----w	C:\Program Files\DrillDraw 6
2008-07-07 01:37	---------	d-----w	C:\Program Files\mail.com
2008-07-03 03:08	286,720	------w	C:\WINDOWS\Setup1.exe
2008-06-17 13:53	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\dvdcss
2008-06-12 12:31	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-06-12 12:31	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\SUPERAntiSpyware.com
2008-06-12 12:28	---------	d-----w	C:\Program Files\DivX
2008-06-12 12:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-12 11:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-10 19:36	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Eltima Software
2008-06-10 19:35	---------	d-----w	C:\Program Files\Eltima Software
2008-06-10 19:35	---------	d-----w	C:\Program Files\Common Files\Eltima Shared
2008-06-10 19:33	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 18:52	---------	d-----w	C:\Program Files\Real Alternative
2008-06-10 18:49	---------	d-----w	C:\Program Files\WinAVIVideoConverter
2008-06-10 14:58	---------	d-----w	C:\Program Files\Windows Desktop Search
2008-06-10 13:57	---------	d-----w	C:\Program Files\WMR11
2008-06-06 18:25	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-06-06 18:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 16:01	---------	d-----w	C:\Program Files\Ultra Mobile 3GP Video Converter
2008-06-03 21:37	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-06-03 16:34	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Roxio
2008-06-03 16:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-03 16:04	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-03 14:24	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Blackberry Desktop
2008-06-03 14:22	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Research In Motion
2008-06-03 14:16	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2008-06-03 14:15	---------	d-----w	C:\Program Files\Roxio
2008-06-03 14:15	---------	d-----w	C:\Program Files\Common Files\Roxio Shared
2008-06-03 14:11	---------	d-----w	C:\Program Files\Common Files\Research In Motion
2008-06-03 11:51	---------	d-----w	C:\Program Files\WinMX
2008-06-03 11:50	---------	d-----w	C:\Program Files\Java
2008-06-03 11:50	---------	d-----w	C:\Program Files\Google
2008-06-01 14:35	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\SuperBot
2008-05-31 20:29	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\WebStripper
2008-05-31 20:15	---------	d-----w	C:\Program Files\Solent
2008-05-31 02:43	---------	d-----w	C:\Program Files\Common Files\Macrovision Shared
2008-05-31 01:53	---------	d-----w	C:\Program Files\CamStudio
2008-05-30 14:11	---------	d-----w	C:\Program Files\X1
2008-05-30 14:11	---------	d-----w	C:\Program Files\Stellant
2008-05-26 20:58	---------	d-----w	C:\Program Files\infallsoft
2008-05-21 18:22	---------	d-----w	C:\Program Files\AT&W
2008-05-21 18:09	---------	d-----w	C:\Program Files\Windows Media Components
2008-05-21 18:06	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-05-21 18:06	---------	d-----w	C:\Program Files\Visible Light
2008-05-21 14:20	---------	d-----w	C:\Documents and Settings\joe.smith\Application Data\Apple Computer
2008-01-04 18:08	13	-c--a-w	C:\Program Files\borealisuser.config
2007-08-09 18:08	8,784	-c--a-w	C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10	245,408	-c--a-w	C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\joe.smith\Application Data\SuperBot ----

2008-05-31 22:59	35	--a------	C:\Documents and Settings\joe.smith\Application Data\SuperBot\Queue\Queue.ini 
2008-05-31 22:59	1468	--a------	C:\Documents and Settings\joe.smith\Application Data\SuperBot\Queue\1.SCJ 
2008-05-31 16:30	1327	--a------	C:\Documents and Settings\joe.smith\Application Data\SuperBot\Templates\Download entire website.SCJ 
2008-05-31 16:30	1327	--a------	C:\Documents and Settings\joe.smith\Application Data\SuperBot\Templates\Download a single web page.SCJ 
2008-05-31 16:30	1326	--a------	C:\Documents and Settings\joe.smith\Application Data\SuperBot\Templates\Download a single file.SCJ 

---- Directory of C:\Documents and Settings\joe.smith\Application Data\WebStripper ----

2008-05-31 16:30	303	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\Data.dat 
2008-05-31 16:30	1728	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\Globals.dat 
2008-05-31 16:30	11	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\Log.log 
2008-05-31 16:30	0	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\rss.dat 
2008-05-31 16:29	60	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\history.dat 
2008-05-31 16:29	1558	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\Sites.dat 
2008-05-31 16:29	1284	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\NewData.dat 
2008-05-31 16:15	95	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\html\styles.css 
2008-05-31 16:15	5778	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\html\welcome.html 
2008-05-31 16:15	5710	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\html\welcome.mhtml 
2008-05-31 16:15	3683	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\water.gif 
2008-05-31 16:15	3313	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\rss2.xml 
2008-05-31 16:15	21024	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\rss.xml 
2007-08-07 21:07	1228	--a------	C:\Documents and Settings\joe.smith\Application Data\WebStripper\NewData.bak 


(((((((((((((((((((((((((((((   snapshot@2008-07-15_13.30.37.12   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-14 02:15:46	72,946	----a-w	C:\WINDOWS\system32\perfc009.dat
+ 2008-07-15 17:30:52	72,946	----a-w	C:\WINDOWS\system32\perfc009.dat
- 2008-07-14 02:15:46	445,298	----a-w	C:\WINDOWS\system32\perfh009.dat
+ 2008-07-15 17:30:52	445,298	----a-w	C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-18 11:16 160592]
"Windows Live FolderShare"="C:\Documents and Settings\joe.smith\Local Settings\Application Data\FolderShare\FolderShare.exe" [2008-04-15 14:15 925728]
"Mail.com"="C:\Program Files\mail.com\mcalert.exe" [2007-06-25 04:14 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LANDeskInventoryClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [2008-01-04 19:39 1024000]
"LANDeskVulscanClient"="C:\Program Files\LANDesk\LDClient\vulScan.exe" [2008-02-05 10:32 1118208]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2007-11-29 11:40 262144]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-14 10:32 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-14 10:32 166424]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 20:29 102400]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 03:08 2512392]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 05:06 136768]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 18:36 872448]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 20:50 111952]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]

C:\Documents and Settings\joe.smith\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 13:16:42 1283608]
X1 System Tray.lnk - C:\Program Files\X1\X1Systray.exe [2008-05-30 10:10:54 88064]
X1.lnk - C:\Program Files\X1\X1.exe [2008-05-30 10:10:54 14037784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 13:16:42 1283608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"HideShutdownScripts"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"Intellimenus"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 16:08 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\[u]0[/u]\[u]0[/u]]
"Script"=NALDAgent_Shutdown_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=NALDAgent_Startup_Production.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\TOR\3000bays\MCL\startup\global_startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\1]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\TOR\3000bays\MCL\startup\borealis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\2]
"Script"=\\torzzz61\apps\EQUITRAC\setup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\3]
"Script"=\\torzzz61\apps\KB903234\install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\[u]0[/u]]
"Script"=TZMove.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\[u]0[/u]]
"Script"=LD_Inventory_v1.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\Outlook_2003_Registry_Fixes.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\netlogon\TOR\3000bays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\1]
"Script"=\\intl.corp.mynetwork.com\netlogon\TOR\3000bays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\2]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\TOR\3000bays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-100810\Scripts\Logon\1\3]
"Script"=\\intl.corp.mynetwork.com\NETLOGON\TOR\3000bays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\intl.corp.mynetwork.com\netlogon\TOR\3000bays\MCL\logon\logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\1]
"Script"=\\intl.corp.mynetwork.com\netlogon\TOR\3000bays\MCL\logon\firefox\firefox_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\2]
"Script"=\\intl.corp.mynetwork.com\SysVol\intl.corp.mynetwork.com\scripts\TOR\3000bays\MCL\logon\global_login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1140292054-41296648-3127784425-63390\Scripts\Logon\[u]0[/u]\3]
"Script"=\\intl.corp.mynetwork.com\NETLOGON\TOR\3000bays\MCL\logon\tsc.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\CBA\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\joe.smith\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\xddclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk(R) PXE TCP Port
"67:UDP"= 67:UDP:LANDesk(R) PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk(R) Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk(R) Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2005-11-29 17:56]
R2 CBA8;LANDesk(R) Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 12:03]
R2 DLPORTIO;DLPORTIO;C:\WINDOWS\DLPORTIO.sys [2008-04-08 08:33]
R2 EQSharedEngine;EQ Shared Engine;C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe [2007-07-25 16:31]
R2 LDXDD;LANDesk(R) Extended device discovery service;C:\Program Files\LANDesk\LDClient\xddclient.exe [2007-04-17 07:19]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 Softmon;LANDesk(R) Software Monitoring Service;C:\PROGRA~1\LANDesk\LDClient\softmon.exe [2007-11-15 12:50]
R2 SWIHPWMI;SWIHPWMI;C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 17:13]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 18:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 12:19]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 18:48]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 18:48]
S3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 18:48]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2005-03-09 11:50]
S3 TPPWRIF;TPPWRIF;C:\Documents and Settings\All Users\Application Data\vulScan\TPPWRIF.sys [2006-09-21 17:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad784fea-31a2-11dd-bf2e-001641b9b85d}]
\Shell\AutoRun\command - G:\_MyPendrive\MyPendrive.exe
\Shell\MyPendrive\command - G:\_MyPendrive\MyPendrive.exe
\Shell\progr0\command - G:\CD_ROOT\CD_Start.exe

*Newly Created Service* - WOEM_3_2A
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-tsc - C:\DOCUME~1\HOWARD~1.OHO\LOCALS~1\Temp\tsc.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 15:52:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Program Files\LANDesk\LDClient\SoftMon.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2008-07-15 15:56:28 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-15 19:56:19
ComboFix2.txt  2008-07-15 17:31:02

Pre-Run: 8,950,829,056 bytes free
Post-Run: 8,926,388,224 bytes free

311	--- E O F ---	2008-04-01 21:32:32

Thanks Bill

Edited by bmillion, 15 July 2008 - 03:19 PM.


#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 15 July 2008 - 03:47 PM

Hello, bmillion.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 bmillion

bmillion
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 16 July 2008 - 03:35 PM

Hi Bill: Here is the log.txt from ESET Online Scanner.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3273 (20080716)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=68e3bcd6c26b0b4da41367dc86414f2b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-07-16 08:20:59
# local_time=2008-07-16 04:20:59 (-0500, Eastern Daylight Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=311328
# found=0
# scan_time=5245


#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 16 July 2008 - 03:42 PM

Hello, bmillion.
Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Please let me know of any problems you may have encountered.

You now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "None"

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :thumbsup:
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :)
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :thumbup2:
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :spacer:
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :spacer:
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.
    :spacer:
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:34 PM

Posted 20 July 2008 - 08:18 AM

Hello, bmillion.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users