Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 2003 Multiple Infections


  • This topic is locked This topic is locked
2 replies to this topic

#1 Anthony R.

Anthony R.

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 21 June 2008 - 10:05 PM

I had quite a few infections invluding smitfraud, vundo, w32. I think I cleaned them all out but I wanted to have my log checked and make sure. This is on a windows 2003 terminal server.



Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-21 21:55:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:21, on 6/21/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\HP\Cissesrv\cissesrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\csasvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Pfx Engagement\Common\PFXEngDesktopService.exe
C:\Pfx Engagement\Common\PFXSYNPFTService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\lserver.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\WINDOWS\System32\svchost.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Pfx Engagement\WM\PfxPDFConvertService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ProSystem fx Document\Virtual Drive\bin\CCH.Document.VirtualDrive.Reminder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Map Virtual Drive.lnk = ?
O4 - Global Startup: PfxPDFConvertService.exe.lnk = C:\Pfx Engagement\WM\PfxPDFConvertService.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Virtual Drive Save As.lnk = C:\Program Files\ProSystem fx Document\Virtual Drive\bin\CCH.Document.VirtualDrive.Reminder.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - Trusted Zone: http://*.document
O15 - Trusted Zone: http://*.jerry
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1189137168484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189137257187
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c12/v19.108/qboax10.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://manageit2.agniteksupport.com/inc/kaxRemote.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tlr.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {FB87AE4D-901C-45FD-BF1E-B4D4E1622628} - http://document/document%20drive/install.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bepcocpa.com
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - c:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: Creative Solutions Accounting Print Service (CSAPrintService) - Creative Solutions - C:\WINDOWS\csasvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ManageITAgent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PFXEngDesktopService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXEngDesktopService.exe
O23 - Service: PFXSYNPFTService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXSYNPFTService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Hewlett-Packard Company - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10870 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080620-070408-169 O3 - Toolbar: vrmdtneg - {B4B8E731-19DA-43DF-9E91-4B33E8478EF3} - C:\WINDOWS\vrmdtneg.dll (file missing)
backup-20080620-070408-389 O2 - BHO: targetedbanner browser optimizer - {70dc882a-04f0-399a-9d60-3a7c31f941a8} - C:\WINDOWS\system32\{b9b74d2a-2b82-1030-5993-f7be23308d3d}.dll
backup-20080620-070408-472 O2 - BHO: Xena toolbar - {2ff811e6-8925-4084-a649-c159955e67e8} - C:\WINDOWS\system32\dadef.dll
backup-20080620-071413-446 O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)
backup-20080620-071413-812 O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
backup-20080620-090906-115 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
backup-20080620-090906-147 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
backup-20080620-090906-325 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20080620-090906-335 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080620-090906-338 O4 - HKUS\S-1-5-21-4268972372-2609372742-1530934317-1114\..\Run: [winlogon] C:\Documents and Settings\TEMP.BEPCOCPA\svchost.exe (User 'sborski')
backup-20080620-090906-344 O4 - HKUS\S-1-5-21-4268972372-2609372742-1530934317-1114\..\Run: [] (User 'sborski')
backup-20080620-090906-352 O4 - HKUS\S-1-5-21-4268972372-2609372742-1530934317-1663\..\Run: [] (User 'arestivo')
backup-20080620-090906-414 O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\TEMP.BEPCOCPA\svchost.exe
backup-20080620-090906-418 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
backup-20080620-090906-510 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
backup-20080620-090906-613 O4 - HKLM\..\Run: [{87213180-5f6a-754e-4398-2e5b4ff7faeb}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{b9b74d2a-2b82-1030-5993-f7be23308d3d}.dll" DllStart
backup-20080620-090906-782 O4 - HKUS\S-1-5-21-4268972372-2609372742-1530934317-1663\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'arestivo')
backup-20080620-090906-829 O4 - HKUS\S-1-5-21-4268972372-2609372742-1530934317-1114\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'sborski')
backup-20080620-125349-101 O4 - HKLM\..\RunOnce: [SpybotDeletingC9476] cmd /c del "C:\Documents and Settings\mwilliams\svchost.exe"
backup-20080620-125349-145 O4 - HKLM\..\RunOnce: [SpybotDeletingC7716] cmd /c del "C:\Documents and Settings\tehlert\svchost.exe"
backup-20080620-125349-255 O4 - HKLM\..\RunOnce: [SpybotDeletingC3646] cmd /c del "C:\Documents and Settings\sborski.BEPCOCPA.000\svchost.exe"
backup-20080620-125349-306 O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Administrator\svchost.exe
backup-20080620-125349-323 O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
backup-20080620-125349-387 O4 - HKLM\..\RunOnce: [SpybotDeletingA8927] command /c del "C:\Documents and Settings\tmoore\svchost.exe"
backup-20080620-125349-416 O4 - HKLM\..\RunOnce: [SpybotDeletingA105] command /c del "C:\Documents and Settings\arogers\svchost.exe"
backup-20080620-125349-518 O4 - HKLM\..\RunOnce: [SpybotDeletingA961] command /c del "C:\Documents and Settings\sborski.BEPCOCPA.000\svchost.exe"
backup-20080620-125349-629 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe
backup-20080620-125349-635 O4 - HKLM\..\RunOnce: [SpybotDeletingC4894] cmd /c del "C:\Documents and Settings\jborski\svchost.exe"
backup-20080620-125349-636 O4 - HKLM\..\RunOnce: [SpybotDeletingC4456] cmd /c del "C:\Documents and Settings\Administrator.BEPCOCPA\svchost.exe"
backup-20080620-125349-662 O4 - HKLM\..\RunOnce: [SpybotDeletingC8664] cmd /c del "C:\Documents and Settings\tmoore\svchost.exe"
backup-20080620-125349-716 O4 - HKLM\..\RunOnce: [SpybotDeletingA3885] command /c del "C:\Documents and Settings\tehlert\svchost.exe"
backup-20080620-125349-763 O4 - HKLM\..\RunOnce: [SpybotDeletingC6426] cmd /c del "C:\Documents and Settings\pabney\svchost.exe"
backup-20080620-125349-770 O4 - HKLM\..\RunOnce: [SpybotDeletingA6812] command /c del "C:\Documents and Settings\pabney\svchost.exe"
backup-20080620-125349-781 O4 - HKLM\..\RunOnce: [SpybotDeletingA1060] command /c del "C:\Documents and Settings\Administrator.BEPCOCPA\svchost.exe"
backup-20080620-125349-813 O4 - HKLM\..\RunOnce: [SpybotDeletingA6192] command /c del "C:\Documents and Settings\jborski\svchost.exe"
backup-20080620-125349-902 O4 - HKLM\..\RunOnce: [SpybotDeletingA1059] command /c del "C:\Documents and Settings\mwilliams\svchost.exe"
backup-20080620-125349-998 O4 - HKLM\..\RunOnce: [SpybotDeletingC3490] cmd /c del "C:\Documents and Settings\arogers\svchost.exe"
backup-20080621-183611-144 O17 - HKLM\System\CCS\Services\Tcpip\..\{21884560-9A9C-4AB1-A955-3A30E3E334E6}: NameServer = 192.168.1.2
backup-20080621-183611-749 O17 - HKLM\Software\..\Telephony: DomainName = bepcocpa.com
backup-20080621-183611-781 O17 - HKLM\System\CS1\Services\Tcpip\..\{21884560-9A9C-4AB1-A955-3A30E3E334E6}: NameServer = 192.168.1.2
backup-20080621-183611-958 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bepcocpa.com
backup-20080621-183611-969 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bepcocpa.com
backup-20080621-184229-844 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
backup-20080621-184803-167 O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
backup-20080621-184803-388 O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
backup-20080621-184803-562 O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 hpqilo2 - c:\windows\system32\drivers\hpqilo2.sys <Not Verified; Hewlett-Packard Company; HP ProLiant iLO 2 Management Controller Driver for Microsoft® Windows®>

S3 CPQTeam (HP Network Configuration Utility) - c:\windows\system32\drivers\cpqteam.sys <Not Verified; Hewlett-Packard Company; Network Teaming Intermediate Driver (NTID)>
S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)
S3 NwlnkFlt (IPX Traffic Filter Driver) - c:\windows\system32\drivers\nwlnkflt.sys (file missing)
S3 NwlnkFwd (IPX Traffic Forwarder Driver) - c:\windows\system32\drivers\nwlnkfwd.sys (file missing)
S4 startdss (HP ProLiant Virtual Install Disk Support Driver) - c:\windows\system32\drivers\startdss.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Acronis VSS Provider - c:\windows\system32\dllhost.exe /processid:{6edbbc47-049c-4607-a8c0-14eaddbc6f39} <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Cissesrv (HP Smart Array SAS/SATA Event Notification Service) - c:\program files\hp\cissesrv\cissesrv.exe <Not Verified; Hewlett-Packard Company; HP Smart Array SAS/SATA Notification Service>
R2 CpqNicMgmt (HP Insight NIC Agents) - c:\windows\system32\cpqnimgt\cpqnimgt.exe <Not Verified; Hewlett-Packard Company; NIC Agents>
R2 CpqRcmc (HP ProLiant Remote Monitor Service) - c:\windows\system32\cpqrcmc.exe <Not Verified; Hewlett-Packard Company; HP ProLiant Remote Monitor Service for Microsoft® Windows®>
R2 cpqvcagent (HP Version Control Agent) - c:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe <Not Verified; Hewlett-Packard Company; HP Version Control Agent>
R2 CqMgHost (HP Insight Foundation Agents) - c:\windows\system32\cpqmgmt\cqmghost\cqmghost.exe <Not Verified; Hewlett-Packard Company; HP Insight Foundation Agents for Microsoft® Windows Server™ 2003>
R2 CqMgServ (HP Insight Server Agents) - c:\windows\system32\cpqmgmt\cqmgserv\cqmgserv.exe <Not Verified; Hewlett-Packard Company; HP Insight Server Agents for Microsoft® Windows Server™ 2003>
R2 CqMgStor (HP Insight Storage Agents) - c:\windows\system32\cpqmgmt\cqmgstor\cqmgstor.exe <Not Verified; Hewlett-Packard Company; HP Insight Storage Agents>
R2 CSAPrintService (Creative Solutions Accounting Print Service) - c:\windows\csasvc.exe <Not Verified; Creative Solutions; Creative Solutions Print Service>
R2 DNS (DNS Server) - c:\windows\system32\dns.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 IISADMIN (IIS Admin Service) - c:\windows\system32\inetsrv\inetinfo.exe <Not Verified; Microsoft Corporation; Internet Information Services>
R2 KaseyaAgent (ManageITAgent) - c:\program files\kaseya\agent\agentmon.exe <Not Verified; Kaseya; Virtual System Administrator Agent>
R2 PFXEngDesktopService - c:\pfx engagement\common\pfxengdesktopservice.exe <Not Verified; CCH Tax and Accounting; PFXEngDesktopService Module>
R2 PFXSYNPFTService - c:\pfx engagement\common\pfxsynpftservice.exe <Not Verified; CCH Tax and Accounting; PFXSYNPFTService Module>
R2 SNMP (SNMP Service) - c:\windows\system32\snmp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 sysdown (HP ProLiant System Shutdown Service) - c:\windows\system32\sysdown.exe <Not Verified; Hewlett-Packard Company; HP ProLiant System Shutdown Service for Microsoft® Windows®>
R2 SysMgmtHp (HP System Management Homepage) - c:\hp\hpsmh\bin\smhstart.exe <Not Verified; Hewlett-Packard Company; HP System Management Homepage Service for Microsoft Windows ™>
R2 TermServLicensing (Terminal Server Licensing) - c:\windows\system32\lserver.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 WinVNC4 (VNC Server Version 4) - "c:\program files\realvnc\vnc4\winvnc4.exe" -service <Not Verified; RealVNC Ltd.; VNC Server Free Edition>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 CIMnotify (HP Insight Event Notifier) - c:\windows\system32\cimntfy\cimntfy.exe <Not Verified; Hewlett-Packard Company; HP Insight Foundation Agents for Microsoft® Windows Server™ 2003>
S4 Pervasive.SQL Workgroup Engine - c:\windows\system32\srvany.exe (file missing)
S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-19 12:00:02 480 --a------ C:\WINDOWS\Tasks\ShadowCopyVolume{9d1a37ec-f779-11db-8e3c-806e6f6e6963}.job


-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-21 20:14:25 389120 --a------ C:\WINDOWS\system32\CF32215.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-21 16:01:58 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-21 16:01:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-20 13:53:01 0 d-------- C:\Documents and Settings\sborski.BEPCOCPA.000\Application Data\Document Drive
2008-06-20 13:52:53 0 d-------- C:\Documents and Settings\sborski.BEPCOCPA.000\Application Data\Identities
2008-06-20 13:46:09 0 d-------- C:\Documents and Settings\bsallach.BEPCOCPA\Application Data\Document Drive
2008-06-20 13:46:00 0 d-------- C:\Documents and Settings\bsallach.BEPCOCPA\Application Data\Identities
2008-06-20 13:45:55 0 d-------- C:\Documents and Settings\bsallach.BEPCOCPA\WINDOWS
2008-06-20 13:45:49 0 d--h----- C:\Documents and Settings\bsallach.BEPCOCPA\Templates
2008-06-20 13:45:49 0 dr------- C:\Documents and Settings\bsallach.BEPCOCPA\Start Menu
2008-06-20 13:45:49 0 dr-h----- C:\Documents and Settings\bsallach.BEPCOCPA\SendTo
2008-06-20 13:45:49 0 dr-h----- C:\Documents and Settings\bsallach.BEPCOCPA\Recent
2008-06-20 13:45:49 0 d--h----- C:\Documents and Settings\bsallach.BEPCOCPA\PrintHood
2008-06-20 13:45:49 4718592 --ah----- C:\Documents and Settings\bsallach.BEPCOCPA\NTUSER.DAT
2008-06-20 13:45:49 0 d--h----- C:\Documents and Settings\bsallach.BEPCOCPA\NetHood
2008-06-20 13:45:49 0 dr------- C:\Documents and Settings\bsallach.BEPCOCPA\My Documents
2008-06-20 13:45:49 0 d--h----- C:\Documents and Settings\bsallach.BEPCOCPA\Local Settings
2008-06-20 13:45:49 0 dr------- C:\Documents and Settings\bsallach.BEPCOCPA\Favorites
2008-06-20 13:45:49 0 d-------- C:\Documents and Settings\bsallach.BEPCOCPA\Desktop
2008-06-20 13:45:49 0 d--hs---- C:\Documents and Settings\bsallach.BEPCOCPA\Cookies
2008-06-20 13:45:49 0 dr-h----- C:\Documents and Settings\bsallach.BEPCOCPA\Application Data
2008-06-20 13:45:49 0 d-------- C:\Documents and Settings\bsallach.BEPCOCPA\Application Data\Xerox
2008-06-20 13:45:49 0 d---s---- C:\Documents and Settings\bsallach.BEPCOCPA\Application Data\Microsoft
2008-06-20 12:55:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-20 12:55:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-20 09:58:35 0 d-------- C:\Documents and Settings\sborski.BEPCOCPA.000\WINDOWS
2008-06-20 09:58:31 0 d--h----- C:\Documents and Settings\sborski.BEPCOCPA.000\Templates
2008-06-20 09:58:31 0 dr------- C:\Documents and Settings\sborski.BEPCOCPA.000\Start Menu
2008-06-20 09:58:31 0 dr-h----- C:\Documents and Settings\sborski.BEPCOCPA.000\SendTo
2008-06-20 09:58:31 0 dr-h----- C:\Documents and Settings\sborski.BEPCOCPA.000\Recent
2008-06-20 09:58:31 0 d--h----- C:\Documents and Settings\sborski.BEPCOCPA.000\PrintHood
2008-06-20 09:58:31 0 d--h----- C:\Documents and Settings\sborski.BEPCOCPA.000\NetHood
2008-06-20 09:58:31 0 dr------- C:\Documents and Settings\sborski.BEPCOCPA.000\My Documents
2008-06-20 09:58:31 0 d--h----- C:\Documents and Settings\sborski.BEPCOCPA.000\Local Settings
2008-06-20 09:58:31 0 dr------- C:\Documents and Settings\sborski.BEPCOCPA.000\Favorites
2008-06-20 09:58:31 0 d-------- C:\Documents and Settings\sborski.BEPCOCPA.000\Desktop
2008-06-20 09:58:31 0 d--hs---- C:\Documents and Settings\sborski.BEPCOCPA.000\Cookies
2008-06-20 09:58:31 0 dr-h----- C:\Documents and Settings\sborski.BEPCOCPA.000\Application Data
2008-06-20 09:58:31 0 d-------- C:\Documents and Settings\sborski.BEPCOCPA.000\Application Data\Xerox
2008-06-20 09:58:31 0 d---s---- C:\Documents and Settings\sborski.BEPCOCPA.000\Application Data\Microsoft
2008-06-20 09:58:30 4980736 --ah----- C:\Documents and Settings\sborski.BEPCOCPA.000\NTUSER.DAT
2008-06-20 09:20:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 09:03:02 389120 --a------ C:\WINDOWS\system32\CF11738.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-20 06:37:44 510 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-20 06:35:05 0 d-------- C:\Program Files\Trend Micro
2008-06-20 06:34:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Document Drive
2008-06-19 16:05:56 278528 --a------ C:\WINDOWS\ksendlbtmat.dll
2008-06-19 16:05:39 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-19 15:25:18 0 d-------- C:\WINDOWS\system32\netrax06
2008-06-19 15:25:02 110592 --a------ C:\Documents and Settings\All Users\Application Data\pynktaxy.dll
2008-06-19 15:23:51 0 d-------- C:\Documents and Settings\Administrator.BEPCOCPA\Application Data\SolarWinds
2008-06-18 19:36:25 0 d-------- C:\Documents and Settings\aeyeington\Application Data\Intuit
2008-06-10 09:51:35 0 d-------- C:\Documents and Settings\MHUSSAIN\Application Data\Peachtree
2008-06-06 11:36:12 0 d-------- C:\Documents and Settings\edarilek\Application Data\Adobe
2008-06-06 11:36:08 0 d-------- C:\Documents and Settings\edarilek\Application Data\Document Drive
2008-06-06 11:36:00 0 d-------- C:\Documents and Settings\edarilek\Application Data\Identities
2008-06-06 11:35:54 0 d-------- C:\Documents and Settings\edarilek\WINDOWS
2008-06-06 11:35:49 0 d--h----- C:\Documents and Settings\edarilek\Templates
2008-06-06 11:35:49 0 dr------- C:\Documents and Settings\edarilek\Start Menu
2008-06-06 11:35:49 0 dr-h----- C:\Documents and Settings\edarilek\SendTo
2008-06-06 11:35:49 0 dr-h----- C:\Documents and Settings\edarilek\Recent
2008-06-06 11:35:49 0 d--h----- C:\Documents and Settings\edarilek\PrintHood
2008-06-06 11:35:49 0 d--h----- C:\Documents and Settings\edarilek\NetHood
2008-06-06 11:35:49 0 dr------- C:\Documents and Settings\edarilek\My Documents
2008-06-06 11:35:49 0 d--h----- C:\Documents and Settings\edarilek\Local Settings
2008-06-06 11:35:49 0 dr------- C:\Documents and Settings\edarilek\Favorites
2008-06-06 11:35:49 0 d-------- C:\Documents and Settings\edarilek\Desktop
2008-06-06 11:35:49 0 d--hs---- C:\Documents and Settings\edarilek\Cookies
2008-06-06 11:35:49 0 dr-h----- C:\Documents and Settings\edarilek\Application Data
2008-06-06 11:35:49 0 d-------- C:\Documents and Settings\edarilek\Application Data\Xerox
2008-06-06 11:35:49 0 d---s---- C:\Documents and Settings\edarilek\Application Data\Microsoft
2008-06-06 11:35:48 4718592 --ah----- C:\Documents and Settings\edarilek\NTUSER.DAT
2008-06-03 11:33:18 0 d-------- C:\Documents and Settings\jborski\Application Data\Adobe
2008-06-03 11:33:16 0 d-------- C:\Documents and Settings\jborski\Application Data\Document Drive
2008-06-03 11:33:10 0 d-------- C:\Documents and Settings\jborski\Application Data\Identities
2008-06-03 11:33:05 0 d-------- C:\Documents and Settings\jborski\WINDOWS
2008-06-03 11:33:01 0 d--h----- C:\Documents and Settings\jborski\Templates
2008-06-03 11:33:01 0 dr------- C:\Documents and Settings\jborski\Start Menu
2008-06-03 11:33:01 0 dr-h----- C:\Documents and Settings\jborski\SendTo
2008-06-03 11:33:01 0 dr-h----- C:\Documents and Settings\jborski\Recent
2008-06-03 11:33:01 0 d--h----- C:\Documents and Settings\jborski\PrintHood
2008-06-03 11:33:01 4980736 --ah----- C:\Documents and Settings\jborski\NTUSER.DAT
2008-06-03 11:33:01 0 d--h----- C:\Documents and Settings\jborski\NetHood
2008-06-03 11:33:01 0 dr------- C:\Documents and Settings\jborski\My Documents
2008-06-03 11:33:01 0 d--h----- C:\Documents and Settings\jborski\Local Settings
2008-06-03 11:33:01 0 dr------- C:\Documents and Settings\jborski\Favorites
2008-06-03 11:33:01 0 d-------- C:\Documents and Settings\jborski\Desktop
2008-06-03 11:33:01 0 d--hs---- C:\Documents and Settings\jborski\Cookies
2008-06-03 11:33:01 0 dr-h----- C:\Documents and Settings\jborski\Application Data
2008-06-03 11:33:01 0 d-------- C:\Documents and Settings\jborski\Application Data\Xerox
2008-06-03 11:33:01 0 d---s---- C:\Documents and Settings\jborski\Application Data\Microsoft
2008-06-03 11:02:25 0 d-------- C:\Documents and Settings\jchew\Application Data\Adobe
2008-06-03 11:02:22 0 d-------- C:\Documents and Settings\jchew\Application Data\Document Drive
2008-06-03 11:02:15 0 d-------- C:\Documents and Settings\jchew\Application Data\Identities
2008-06-03 11:02:09 0 d-------- C:\Documents and Settings\jchew\WINDOWS
2008-06-03 11:02:03 0 d--h----- C:\Documents and Settings\jchew\Templates
2008-06-03 11:02:03 0 dr------- C:\Documents and Settings\jchew\Start Menu
2008-06-03 11:02:03 0 dr-h----- C:\Documents and Settings\jchew\SendTo
2008-06-03 11:02:03 0 dr-h----- C:\Documents and Settings\jchew\Recent
2008-06-03 11:02:03 0 d--h----- C:\Documents and Settings\jchew\PrintHood
2008-06-03 11:02:03 4980736 --ah----- C:\Documents and Settings\jchew\NTUSER.DAT
2008-06-03 11:02:03 0 d--h----- C:\Documents and Settings\jchew\NetHood
2008-06-03 11:02:03 0 dr------- C:\Documents and Settings\jchew\My Documents
2008-06-03 11:02:03 0 d--h----- C:\Documents and Settings\jchew\Local Settings
2008-06-03 11:02:03 0 dr------- C:\Documents and Settings\jchew\Favorites
2008-06-03 11:02:03 0 d-------- C:\Documents and Settings\jchew\Desktop
2008-06-03 11:02:03 0 d--hs---- C:\Documents and Settings\jchew\Cookies
2008-06-03 11:02:03 0 dr-h----- C:\Documents and Settings\jchew\Application Data
2008-06-03 11:02:03 0 d-------- C:\Documents and Settings\jchew\Application Data\Xerox
2008-06-03 11:02:03 0 d---s---- C:\Documents and Settings\jchew\Application Data\Microsoft
2008-06-03 09:39:34 0 d-------- C:\Documents and Settings\tmoore\Application Data\Peachtree
2008-06-02 17:20:43 0 d-------- C:\Documents and Settings\aeyeington\Application Data\Peachtree
2008-06-01 20:10:57 0 d-------- C:\Documents and Settings\mwilliams\Application Data\Peachtree
2008-05-31 22:57:23 0 d-------- C:\Documents and Settings\gchew\Application Data\Adobe
2008-05-31 22:57:22 0 d-------- C:\Documents and Settings\gchew\Application Data\Document Drive
2008-05-31 22:57:16 0 d-------- C:\Documents and Settings\gchew\Application Data\Identities
2008-05-31 22:57:11 0 d-------- C:\Documents and Settings\gchew\WINDOWS
2008-05-31 22:57:08 0 d--h----- C:\Documents and Settings\gchew\Templates
2008-05-31 22:57:08 0 dr------- C:\Documents and Settings\gchew\Start Menu
2008-05-31 22:57:08 0 dr-h----- C:\Documents and Settings\gchew\SendTo
2008-05-31 22:57:08 0 dr-h----- C:\Documents and Settings\gchew\Recent
2008-05-31 22:57:08 0 d--h----- C:\Documents and Settings\gchew\PrintHood
2008-05-31 22:57:08 0 d--h----- C:\Documents and Settings\gchew\NetHood
2008-05-31 22:57:08 0 dr------- C:\Documents and Settings\gchew\My Documents
2008-05-31 22:57:08 0 d--h----- C:\Documents and Settings\gchew\Local Settings
2008-05-31 22:57:08 0 dr------- C:\Documents and Settings\gchew\Favorites
2008-05-31 22:57:08 0 d-------- C:\Documents and Settings\gchew\Desktop
2008-05-31 22:57:08 0 d--hs---- C:\Documents and Settings\gchew\Cookies
2008-05-31 22:57:08 0 dr-h----- C:\Documents and Settings\gchew\Application Data
2008-05-31 22:57:08 0 d-------- C:\Documents and Settings\gchew\Application Data\Xerox
2008-05-31 22:57:08 0 d---s---- C:\Documents and Settings\gchew\Application Data\Microsoft
2008-05-31 22:57:07 4718592 --ah----- C:\Documents and Settings\gchew\NTUSER.DAT
2008-05-30 16:11:55 0 d-------- C:\pvswarch
2008-05-30 12:07:43 0 d-------- C:\Documents and Settings\jwatson\Application Data\Intuit
2008-05-29 17:00:17 0 d-------- C:\Documents and Settings\kchumchal\Application Data\Intuit
2008-05-29 11:01:50 0 d-------- C:\Documents and Settings\tmoore\Application Data\Intuit
2008-05-29 08:32:30 0 d-------- C:\Documents and Settings\bsallach\Application Data\Intuit
2008-05-28 16:33:27 0 d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-05-28 16:33:07 0 d-------- C:\Documents and Settings\Administrator.BEPCOCPA\Application Data\Intuit
2008-05-28 16:32:54 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2008-05-28 16:32:40 0 d-------- C:\Program Files\Quicken
2008-05-28 16:22:25 0 d-------- C:\Documents and Settings\Administrator.BEPCOCPA\Application Data\Peachtree
2008-05-28 16:14:09 0 d-------- C:\Program Files\Common Files\Peach
2008-05-28 16:06:13 0 d-------- C:\pvsw
2008-05-28 16:06:06 0 d-------- C:\Program Files\Common Files\Pervasive Software Shared
2008-05-28 16:04:12 0 d-------- C:\Program Files\Sage Software
2008-05-28 15:30:54 0 d-------- C:\WINDOWS\PeachInst


-- Find3M Report ---------------------------------------------------------------

2008-06-21 21:51:04 0 d-------- C:\Program Files\Symantec AntiVirus
2008-06-21 12:38:30 0 d-------- C:\Program Files\Common Files
2008-06-21 12:07:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-20 17:19:13 0 d-------- C:\Program Files\Client Bookkeeping Solution
2008-06-20 17:04:36 0 d-------- C:\Program Files\Common Files\Creative Solutions
2008-06-18 10:28:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-01 01:29:07 0 d-------- C:\Program Files\ProSystem fx Document
2008-05-28 16:33:23 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-08 10:28:07 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-07 22:30:22 0 d-------- C:\Program Files\Cisco Systems
2008-05-07 16:28:45 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-07 16:25:48 0 d-------- C:\Program Files\Intuit
2008-05-07 10:37:44 0 d-------- C:\Program Files\Akamai
2008-04-28 10:42:52 0 d-------- C:\Program Files\Common Files\Crystal Decisions
2008-04-04 23:55:15 262144 --a------ C:\WINDOWS\system32\default_user_class.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"="C:\Program Files\VAV\vav.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/17/2007 09:03]
"@"="" []
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [03/13/2007 16:38]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
@=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Map Virtual Drive.lnk - C:\Program Files\ProSystem fx Document\Virtual Drive\Config\Map.Bat [6/1/2008 1:29:25 AM]
PfxPDFConvertService.exe.lnk - C:\Pfx Engagement\WM\PfxPDFConvertService.exe [10/24/2007 3:57:54 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2/27/2008 8:00:46 AM]
Virtual Drive Save As.lnk - C:\Program Files\ProSystem fx Document\Virtual Drive\bin\CCH.Document.VirtualDrive.Reminder.exe [1/25/2007 11:44:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 02/17/2007 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
iissvcs w3svc
regsvc RemoteRegistry
swprv swprv

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8854 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-21 22:02:40 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows® Server 2003, Standard Edition (build 3790) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Xeon® CPU 5140 @ 2.33GHz
CPU 1: Intel® Xeon® CPU 5140 @ 2.33GHz
CPU 2: Intel® Xeon® CPU 5140 @ 2.33GHz
CPU 3: Intel® Xeon® CPU 5140 @ 2.33GHz
Percentage of Memory in Use: 19%
Physical Memory (total/avail): 4093.67 MiB / 3275.99 MiB
Pagefile Memory (total/avail): 8023.69 MiB / 7225.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.93 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 136.66 GiB total, 91.41 GiB free.
D: is CDROM (No Media)
Z: is Fixed (NTFS) - 136.66 GiB total, 91.41 GiB free.

\\.\PHYSICALDRIVE0 - HP LOGICAL VOLUME SCSI Disk Device - 136.67 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 136.66 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
ASLOGDIR=C:\Program Files\Intuit\QuickBooks 2006\
CBS_DATA=C:\Program Files\Client Bookkeeping Solution\Data\
ClusterLog=C:\WINDOWS\Cluster\cluster.log
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JERRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
lib=C:\Program Files\SQLXML 3.0\bin\;C:\Program Files\SQLXML 4.0\bin\
LOGONSERVER=\\JERRY
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\pvsw\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Pfx Engagement\Common;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Documents and Settings\All Users\Documents
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=JERRY
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
aallen (admin)
aeyeington (admin)
pabney (admin)
jpatout (admin)
mwilliams (admin)
gbrewer (admin)
sborski.BEPCOCPA (admin)
jsloyan (admin)
kchumchal (admin)
ppatterson (admin)
MHUSSAIN (admin)
agnitek (admin)
tehlert (admin)
arestivo (admin)
jborski (admin)
manageit (admin)
bsallach.BEPCOCPA (new local, admin, net ready)
bsallach (admin)
tmoore (admin)
prosystemfx (admin)
jwatson (admin)
arogers (admin)
gchew (new local, admin, net ready)
jchew (admin)
edarilek (new local, admin, net ready)
sborski.BEPCOCPA.000 (admin)
Administrator.BEPCOCPA (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> AIS version 2.2 or higher installed
--> C:\Program Files\Installshield Installation Information\{08082022-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082022-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\PDF IFilter 6.0\Uninst.isu"
--> MsiExec.exe /I{19ABFD8F-CB86-4965-9282-047FC27084F1}
--> MsiExec.exe /I{688A3383-3CE7-4094-9188-9C39D1E4FCB6}
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> MsiExec.exe /I{8ED4E82B-8CEA-40DE-826C-37AC7B941F81}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\Setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis True Image Server --> MsiExec.exe /X{494A69C4-5E64-4AA4-B04F-6190E9A19192}
Adobe Acrobat 8.1.2 Standard --> msiexec /I {AC76BA86-1033-0000-BA7E-000000000003}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe PDF IFilter 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\PDF IFilter 6.0\Uninst.isu"
AnswerWorks 5.0 English Runtime --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}\Setup.exe" -l0x9 -uninst -removeonly
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Cisco ASDM Launcher --> MsiExec.exe /X{86AFBE3F-97EB-4651-9F24-6E3C33833C20}
Client Bookkeeping Solution 2007.1 --> MsiExec.exe /X{4CD388DC-E554-4719-95AB-06817592A76E}
Creative Solutions Accounting --> \\TOM\WINCSI\CSA\UNWISE.EXE /Y
Creative Solutions Accounting - Workstation --> C:\Program Files\Common Files\Creative Solutions\CSA Workstation\UNWISE.EXE /Y
Crystal Reports9 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{543A636A-E53F-416F-8AB5-8BFE7B698C69} MaintenanceRun
Dell Software Uninstall --> C:\Program Files\Dell_HostCD\Install\x86\Uninstall.exe
GDR 3054 for SQL Server Database Services 2005 ENU (KB934458) --> C:\WINDOWS\SQL9_KB934458_ENU\Hotfix.exe /Uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Array Configuration Utility --> MsiExec.exe /X{0FC83811-F7AB-4D02-89EF-D86A7333C6C3}
HP Array Configuration Utility CLI --> MsiExec.exe /X{FC1534DB-31FE-4994-A91C-120A9AB7CE17}
HP Array Diagnostic Utility --> MsiExec.exe /X{E66B176F-F12D-45D9-9125-CC66C53FCB5C}
HP Insight Management Agents --> MsiExec.exe /X{441DA1C0-D14F-4033-ACE0-3C132F7EE966}
HP Lights-Out Online Configuration Utility --> MsiExec.exe /X{7778BE88-B255-4F82-87EE-5DD49E990B1A}
HP ProLiant Integrated Management Log Viewer --> MsiExec.exe /X{4F8D40CA-D8AB-4AA6-B47D-AA8FA845E530}
HP ProLiant Remote Monitor Service --> MsiExec.exe /X{93EF387B-6884-4ADE-806E-E98F05DD2A4C}
HP Smart Array SAS/SATA Event Notification Service --> MsiExec.exe /X{A5B24235-ACF7-48B0-B0F8-7C95A590F14C}
HP System Management Homepage --> "C:\Program Files\InstallShield Installation Information\{3C4DF0FD-95CF-4F7B-A816-97CEF616948F}\setup.exe"
HP Version Control Agent --> MsiExec.exe /X{5A5F45AE-0250-4C34-9D89-F10BDDEE665F}
HPInsightDiagnostics --> MsiExec.exe /X{97D259B9-2076-4C25-97E1-440D9D038229}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1 --> MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{5E8858EC-6B09-4939-99F2-5678073A0327}
Microsoft Office XP Standard --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 (PROFXDOCUMENT) --> MsiExec.exe /I{130A3BE1-85CC-4135-8EA7-5A724EE6CE2C}
Microsoft SQL Server 2005 Analysis Services (PROFXDOCUMENT) --> MsiExec.exe /I{8ABF8FEB-ABB0-40DC-9945-85AF36EF30A9}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{69880C00-08DD-4385-B752-9C62656F6D1E}
Microsoft SQL Server 2005 Books Online (English) --> MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Express Edition (TOCTTARGPPC05) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Integration Services --> MsiExec.exe /I{EE8CFFD9-6E29-4DC3-A967-7348D5F41F44}
Microsoft SQL Server 2005 Reporting Services (PROFXDOCUMENT) --> MsiExec.exe /I{E930E839-998E-42F9-97E2-71FC960DB1B7}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{1DD463C0-A50A-4394-B7E4-5895C02F9E0D}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual Studio 2005 Premier Partner Edition - ENU --> MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Microsoft WSE 3.0 --> MsiExec.exe /I{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PDFlyer --> \\Bryan-102\Workstation\pdflyer.exe
PDFlyer --> MsiExec.exe /I{3CC87AD2-4CE2-426A-93D2-1CCE97BE1D8E}
Peachtree Quantum 2008 - Accountants' Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{0736311A-BCF5-4F80-AC0F-FE4E55DBF969}
PeachTree Signature Ready Forms --> MsiExec.exe /I{8BCB844B-0814-4354-A413-1063DB4618E9}
PPC Disclosure Library for Local Governments (5-07) --> MsiExec.exe /X{5730B9B0-1814-4ED1-AB4B-AA0F1F7D939A}
PPC Disclosure Library for Nonprofit Organizations (5-07) --> MsiExec.exe /X{ECD26304-B871-4B4E-96DD-10A4FE9A7DD8}
PPC Disclosure Library for Nonpublic Companies (7-07) --> MsiExec.exe /X{D2CB8DA7-01B6-4F72-AA42-0102FA94D454}
PPC e-Practice Aids Auditor's Reports (9-05) --> MsiExec.exe /X{DE7CF28A-397E-455D-9CF4-5F3C74C2DBE1}
PPC e-Practice Aids Auditor's Reports (9-06) --> MsiExec.exe /X{99BA5046-8C15-456A-95D3-2E02BF83A7F0}
PPC e-Practice Aids Audits of Local Governments (1-05) --> MsiExec.exe /X{605B010D-AC9A-44D0-B01F-2AAB2A17E646}
PPC e-Practice Aids Audits of Local Governments (2-06) --> MsiExec.exe /X{D9973166-5665-4FDD-AA5F-6207C817BF36}
PPC e-Practice Aids Audits of Local Governments (2-07) --> MsiExec.exe /X{2EDF7DB9-4154-498C-99E3-29B5306A7BA2}
PPC e-Practice Aids Audits of Nonprofit Organizations (1-05) --> MsiExec.exe /X{9FDDB317-6E7F-47EB-93F2-E1BFB941E242}
PPC e-Practice Aids Audits of Nonprofit Organizations (2-06) --> MsiExec.exe /X{87DE3980-ECFF-4C05-B401-E2DB0DE9C34E}
PPC e-Practice Aids Audits of Nonprofit Organizations (2-07) --> MsiExec.exe /X{0B10469E-7FA3-4243-85CE-2EB9C00A1104}
PPC e-Practice Aids Audits of Nonpublic Companies (1-07) --> MsiExec.exe /X{90FFEEFB-3A9A-463B-9F7B-F9170CED89E1}
PPC e-Practice Aids Audits of Small Businesses (1-05) --> MsiExec.exe /X{51C46193-924C-45F2-A111-6204E124DE57}
PPC e-Practice Aids Audits of Small Businesses (2-06) --> MsiExec.exe /X{627A4A67-2EB8-4FCF-BC08-2589065F49C2}
PPC e-Practice Aids Compilation and Review Engagements (7-05) --> MsiExec.exe /X{0E845512-3C6B-4FBD-93C7-E21D4019F309}
PPC e-Practice Aids Compilation and Review Engagements (7-06) --> MsiExec.exe /X{997C1225-8CDD-40FF-BDC7-D445DD11092C}
PPC e-Practice Aids Construction Contractors (5-05) --> MsiExec.exe /X{D03B658A-2890-49A8-9F8E-D8A1CEE55F45}
PPC e-Practice Aids Construction Contractors (6-06) --> MsiExec.exe /X{5597C1C1-8B91-4306-ACD3-7B7477DB5541}
PPC e-Practice Aids Construction Contractors (6-07) --> MsiExec.exe /X{FEC830E8-A1C2-4DD4-B09B-F705B8B76077}
PPC e-Practice Aids Single Audits (6-06) --> MsiExec.exe /X{DAC76CD4-26F1-4CD8-B5E4-5AE026CB3C48}
PPC e-Practice Aids Single Audits (7-05) --> MsiExec.exe /X{0F2FC4B0-81DF-45F7-9381-FF07C48BE3D0}
PPC e-Tools Framework --> MsiExec.exe /I{7F90C957-6461-4F5C-9286-08C66DB73BBD}
PPC e-Workpapers Disclosure Library for Local Governments (6-06) --> MsiExec.exe /X{4E29458A-F678-4AAD-964A-1ACC9DB7A287}
PPC e-Workpapers Disclosure Library for Nonprofit Organizations (5-06) --> MsiExec.exe /X{2BA5656C-798D-478E-A8C5-73D76261CFB9}
PPC e-Workpapers Disclosure Library for Nonpublic Businesses (7-06) --> MsiExec.exe /X{5582752B-99BA-4284-A92E-F0AB8EF8C17B}
PPC e-Workpapers Disclosure Library for Nonpublic Businesses 2006 --> MsiExec.exe /X{475C2824-A3E2-49CF-A26D-7F126C440CF6}
PPC e-Workpapers Disclosure Library for Nonpublic Companies (1-07) --> MsiExec.exe /X{F18D31AC-4B96-4943-AD7C-1FB64358C267}
PPC e-Workpapers Interactive Disclosure Library for Government 2005 --> MsiExec.exe /X{1D22D6A7-0790-487E-9DE0-1E5910E2471C}
PPC e-Workpapers Interactive Disclosure Library for Nonprofit Organizations 2005 --> MsiExec.exe /X{DD6C06AA-A54B-4B9D-A8F6-48689973264D}
PPC e-Workpapers Interactive Disclosure Library for Nonpublic Businesses 2005 --> MsiExec.exe /X{87D9864A-21FF-4CD3-A5FE-D9A374CFE1B8}
PPC Engagement Letter Generator (8-06) --> MsiExec.exe /X{24DADED6-3EE1-41F4-9535-6B2F81C86789}
PPC Engagement Letter Generator (8-07) --> MsiExec.exe /X{39AAE96B-3EFA-42D4-B9F2-B954A8CA6A0C}
PPC Engagement Letter Generator 2005 --> MsiExec.exe /X{CDFB971D-7683-456D-A265-9BC253224565}
PPC SMART e-Practice Aids - Risk Assessment --> MsiExec.exe /X{D7B5C4D4-4509-4FF3-AD5E-FD2887B65575}
PPC SMART e-Practice Aids - Risk Assessment Content --> MsiExec.exe /X{EB95404F-66DB-4039-9D74-444FB247F1A4}
PPCWebMultiSelect --> MsiExec.exe /I{F5F4F53C-51BF-46D4-B2B8-F2AF7C3CD7D4}
ProSystem fx Document Drive --> MsiExec.exe /X{C86609E6-D6BE-446D-A855-ECAB1B0CF034}
ProSystem fx Engagement --> MsiExec.exe /I{AABF6834-7396-45EA-B43F-F8E2B34E3757}
ProSystem fx Practice --> C:\Program Files\InstallShield Installation Information\{DAFAE47A-2598-4633-8696-17A053333B42}\setup.exe -runfromtemp -l0x0409
ProSystem fx Scan Workstation --> MsiExec.exe /I{C0E65B80-2148-47C8-A58D-E0085E252EA1}
ProSystem fx Tax --> C:\Program Files\Common Files\WFX32\FxRemove.exe /TAX
ProSystem fx Workstation --> C:\Program Files\Common Files\Wfx32\FXREMOVE.EXE /WSSETUP
QuickBooks Premier: Accountant Edition 2006 --> msiexec.exe /I {688A3383-3CE7-4094-9188-9C39D1E4FCB6} UNIQUE_NAME="accountant" QBFULLNAME="QuickBooks Premier: Accountant Edition 2006" ADDREMOVE=1
QuickBooks Premier: Accountant Edition 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="accountant" QBFULLNAME="QuickBooks Premier: Accountant Edition 2007" ADDREMOVE=1
QuickBooks Premier: Accountant Edition 2008 --> msiexec.exe /I {8ED4E82B-8CEA-40DE-826C-37AC7B941F81} UNIQUE_NAME="accountant" QBFULLNAME="QuickBooks Premier: Accountant Edition 2008" ADDREMOVE=1
QuickBooks Pro 2005 --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2005" ADDREMOVE=1
QuickBooks Pro Edition 2004 --> C:\Program Files\Installshield Installation Information\{2b02f822-a9b9-458c-80e5-3ea8c0de8471}\QBReplace.exe {2b02f822-a9b9-458c-80e5-3ea8c0de8471}#{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471}
QuickBooks Product Listing Service --> MsiExec.exe /I{91208A47-5D08-4C79-986F-1931940F51BB}
Quicken 2008 --> MsiExec.exe /X{3B0F52AC-EF5C-4831-B221-06C782E41280}
Sage Software Integration Services --> C:\Program Files\Sage Software\Integration Services\uninst.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Service Pack 2 for SQL Server Analysis Services 2005 ENU (KB921896) --> C:\WINDOWS\OLAP9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Database Services 2005 ENU (KB921896) --> C:\WINDOWS\SQL9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Integration Services 2005 ENU (KB921896) --> C:\WINDOWS\DTS9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Reporting Services 2005 ENU (KB921896) --> C:\WINDOWS\RS9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Tools and Workstation Components 2005 ENU (KB921896) --> C:\WINDOWS\SQLTools9_KB921896_ENU\Hotfix.exe /Uninstall
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SQLXML4 --> MsiExec.exe /I{36DD7006-7BFE-4E3D-AF6E-FA734BC879B7}
Symantec AntiVirus --> MsiExec.exe /I{50E125D1-88E5-48CE-80AE-98EC9698E639}
System Files --> MsiExec.exe /X{94CDD59F-8E30-4B37-BFD1-5B3CD9538B83}
User Profile Hive Cleanup Service --> MsiExec.exe /I{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Server 2003 Service Pack 2 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Windows Support Tools --> MsiExec.exe /I{F07F0BCD-5C6D-4499-9F05-6ED747078A72}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type8285 / Error
Event Submitted/Written: 06/21/2008 09:57:28 PM
Event ID/Source: 4136 / Ci
Event Description:
CiDaemon failed to logon bepcocpa\prosystem because of error 1326.

Event Record #/Type8284 / Error
Event Submitted/Written: 06/21/2008 09:57:28 PM
Event ID/Source: 4136 / Ci
Event Description:
CiDaemon failed to logon bepcocpa\prosystem because of error 1326.

Event Record #/Type8281 / Error
Event Submitted/Written: 06/21/2008 09:57:28 PM
Event ID/Source: 4136 / Ci
Event Description:
Indexing Service failed to logon bepcocpa\prosystem because of error 1326.

Event Record #/Type8280 / Error
Event Submitted/Written: 06/21/2008 09:57:28 PM
Event ID/Source: 4136 / Ci
Event Description:
Indexing Service failed to logon bepcocpa\prosystem because of error 1326.

Event Record #/Type8276 / Error
Event Submitted/Written: 06/21/2008 09:51:07 PM
Event ID/Source: 107 / Report Server Windows Service (PROFXDOCUMENT)
Event Description:
Report Server Windows Service (PROFXDOCUMENT) cannot connect to the report server database.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14961 / Warning
Event Submitted/Written: 06/21/2008 09:51:20 PM
Event ID/Source: 1123 / Server Agents
Event Description:
System Information Agent: Health: Post Errors were
detected. One or more Power-On-Self-Test errors were detected during
server startup.

[SNMP TRAP: 6027 in CPQHLTH.MIB]

Event Record #/Type14935 / Warning
Event Submitted/Written: 06/21/2008 09:40:43 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft XPS Document Writer (from ANTHONYMOBILE) in session 1 was deleted.

Event Record #/Type14934 / Warning
Event Submitted/Written: 06/21/2008 09:40:43 PM
Event ID/Source: 4 / Print
Event Description:
Printer Microsoft XPS Document Writer (from ANTHONYMOBILE) in session 1 is pending deletion.

Event Record #/Type14933 / Warning
Event Submitted/Written: 06/21/2008 09:40:43 PM
Event ID/Source: 8 / Print
Event Description:
Printer Microsoft XPS Document Writer (from ANTHONYMOBILE) in session 1 was purged.

Event Record #/Type14932 / Warning
Event Submitted/Written: 06/21/2008 09:40:43 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft Office Live Meeting Document Writer (from ANTHONYMOBILE) in session 1 was deleted.



-- End of Deckard's System Scanner: finished at 2008-06-21 22:02:40 ------------

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 AM

Posted 15 July 2008 - 02:50 PM

Hello, Anthony R..
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
In your next reply, please include the following:
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 AM

Posted 18 July 2008 - 08:18 AM

Hello, Anthony R..
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users