Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed Removing Vondu Variant


  • This topic is locked This topic is locked
13 replies to this topic

#1 sgpilgrim08

sgpilgrim08

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 03 August 2008 - 11:51 AM

Hi guys,

hope you could help me.
i was originally infected by XP antivirus 2008 and was able to remove it via Vondufix but i noticed after it restarted, i still have an infection because i performed a full scan and it still detected some trojans; namely vondu :)

i searched for solutions in google and came across this forum and i've read a few discussions where some was freed from the trojan and i found hope! :thumbsup:

i tried using vondufix, VirtumundoBeGone and superantispyware to remove the vondu variant (MS Juan and some other variant names i can't clearly remember) but i still have the trojan in my machine.

I'm attaching here the logs:
(1)

Deckard's System Scanner v20071014.68
Run by jquizon on 2008-08-04 00:19:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jquizon.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:24:00 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\My Files\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jquizon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://CFSTODAY
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {b9c42202-6a8b-5418-fd64-3d68418f0bc7} - {7cb0f814-86d3-46df-8145-b8a620224c9b} - C:\WINDOWS\system32\gmhyjj.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SBEVMON.EXE] C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE -WinLogon
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [UniGateway] msiexec.exe /qn /X{4E2EA248-BDE8-4DE7-B51D-D46A2B7581F2}
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [StartMS] C:\Program Files\Creative\Shared Files\Media Sniffer\Startms.exe /s
O4 - HKCU\..\RunOnce: [Inetreg] "C:\Program Files\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-21-3061726268-1491933618-2623018998-12324\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://CFSTODAY
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2886DF1C-0350-4B6A-84ED-E550E37A2D6E} (AExeoInstall Control) - file://\\jrc1msfs01\emphasis\Install\WebDeploy\BDE_Selector\bin\AExeoInstallProj.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn-eu.citco.com/dana-cached/setup/...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.ent.citco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.ent.citco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.ent.citco.com
O20 - AppInit_DLLs: karina.dat gmhyjj.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11246 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PBADRV - c:\windows\system32\drivers\pbadrv.sys <Not Verified; Dell Inc; Application Driver>
R0 SafeBoot - c:\windows\system32\drivers\safeboot.sys
R0 SBAlg - c:\windows\system32\drivers\sbalg.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SBAlg01 - c:\windows\system32\drivers\sbalg01.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SBAlg12 - c:\windows\system32\drivers\sbalg12.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SbEncVol - c:\windows\system32\drivers\sbencvol.sys <Not Verified; Control Break International; SafeBoot VDisk>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 RsvLock - c:\windows\system32\drivers\rsvlock.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SBFlop - c:\windows\system32\drivers\sbflop.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SbPrcCtl - c:\windows\system32\drivers\sbprcctl.sys <Not Verified; Control Break International; SafeBoot Security System>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 DXEC01 - c:\windows\system32\drivers\dxec01.sys <Not Verified; Knowles Acoustics; DXEC.01 Speech Enhancement>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 iGateway (iTechnology iGateway 4.0) - "c:\program files\ca\sharedcomponents\itechnology\igateway.exe" <Not Verified; Computer Associates International, Inc.; iTechnology iGateway>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 SafeBootConfigurationManager (SafeBoot Configuration Manager) - c:\program files\safeboot\sbmgrnt.exe <Not Verified; Control Break International; SafeBoot Security System>
R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
R2 tcsd_win32.exe (NTRU TSS v1.2.1.12 TCS) - "c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S3 DSBrokerService - "c:\program files\dellsupport\brkrsvc.exe" <Not Verified; ; Gteko BrkrSvc Application>
S3 MySQL51 - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql51 (file missing)
S3 SecureStorageService - "c:\program files\wave systems corp\secure storage manager\securestorageservice.exe" <Not Verified; Wave Systems Corp.; Secure Storage Manager>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 00:20:54 0 d-------- C:\Program Files\Trend Micro
2008-08-02 12:40:04 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 12:22:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 21:32:58 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll
2008-08-01 21:32:53 129920 --a------ C:\WINDOWS\system32\jalscwei.dll
2008-08-01 21:32:43 99200 --a------ C:\WINDOWS\system32\kxenhomj.dll
2008-08-01 21:25:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 21:24:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 21:24:44 0 d-------- C:\Documents and Settings\jquizon\Application Data\SUPERAntiSpyware.com
2008-08-01 20:36:31 0 d-------- C:\VundoFix Backups
2008-07-31 06:31:09 0 d-------- C:\Documents and Settings\jquizon\Application Data\Malwarebytes
2008-07-31 06:30:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 06:30:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 23:44:33 0 d-------- C:\Quarantine


-- Find3M Report ---------------------------------------------------------------

2008-08-03 22:49:00 0 d-------- C:\Documents and Settings\jquizon\Application Data\Wave Systems Corp
2008-08-02 12:40:04 0 d-------- C:\Program Files\Common Files
2008-08-01 21:24:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-30 23:47:43 3535151 --a------ C:\WINDOWS\system32\Xpportlog-standard
2008-07-30 23:36:51 3408061 --a------ C:\WINDOWS\system32\XPPortlog
2008-05-07 09:16:25 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7cb0f814-86d3-46df-8145-b8a620224c9b}]
08/01/2008 09:32 PM 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [01/25/2007 02:34 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [05/18/2007 11:45 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [05/18/2007 11:45 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [05/18/2007 11:45 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [05/14/2007 02:23 PM]
"SigmatelSysTrayApp"="stsystra.exe" [02/18/2007 11:26 PM C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [01/30/2007 03:32 PM]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [01/22/2007 11:53 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [07/25/2007 04:32 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [07/25/2007 04:30 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 09:00 AM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 05:23 PM]
"SBEVMON.EXE"="C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.exe" [10/30/2007 01:46 PM]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [10/30/2007 01:46 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [10/25/2007 03:06 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [05/12/2008 03:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 12:09 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"StartMS"=C:\Program Files\Creative\Shared Files\Media Sniffer\Startms.exe /s
"Inetreg"="C:\Program Files\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
"FlashPlayerUpdate"=C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"UniGateway"=msiexec.exe /qn /X{4E2EA248-BDE8-4DE7-B51D-D46A2B7581F2}

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [1/11/2007 8:43:46 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/23/2007 2:53:16 AM]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [10/26/2007 3:29:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"dontdisplaylockeduserid"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRunOnce"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"DisableCurrentUserRunOnce"=1 (0x1)
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=karina.dat gmhyjj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\nnnmkIXR

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=ADD-DomainAdmins.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\0\0]
"Script"=Mcafee_CMA_deployment.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-08-04 00:25:22 ------------

(2)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
CPU 1: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 1014.04 MiB / 434.75 MiB
Pagefile Memory (total/avail): 2440.85 MiB / 1828.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1908.38 MiB

C: is Fixed (NTFS) - 74.47 GiB total, 46.13 GiB free.
D: is CDROM (No Media)
P: is Network (*NT5CSC)
R: is Network (Unformatted)
S: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - Hitachi HTS541680J9SA00 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: VirusScan Enterprise + AntiSpyware Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"="C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe:*:Enabled:igateway"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\jquizon\\Local Settings\\Temp\\OraInstall2007-12-24_10-46-26AM\\jre\\1.4.2\\bin\\javaw.exe"="C:\\Documents and Settings\\jquizon\\Local Settings\\Temp\\OraInstall2007-12-24_10-46-26AM\\jre\\1.4.2\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\eclipse\\eclipse.exe"="C:\\eclipse\\eclipse.exe:*:Disabled:eclipse"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Disabled:File Transfer Program"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\j2sdk1.4.2_16\\bin\\javaw.exe"="C:\\j2sdk1.4.2_16\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\AExeo\\AExeo 3.6\\SecurityExplorer360p7.exe"="C:\\Program Files\\AExeo\\AExeo 3.6\\SecurityExplorer360p7.exe:*:Disabled:Æxeo Security Explorer"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
ANT_HOME=C:\apache-ant-1.7.0
APPDATA=C:\Documents and Settings\jquizon\Application Data
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CLASSPATH=.;C:\CVS_PROJECTS\build\third_party\libext;C:\tomcat\server\lib;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SNG2NB005
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jquizon
HOMESHARE=\\sng3msfs01ab\Home$
IGW_LOC=C:\Program Files\CA\SharedComponents\iTechnology\
INCLUDE=C:\Program Files\AExeo\sybase\OCS-12_0\include
JAVA_HOME=C:\j2sdk1.4.2_16
LIB=C:\Program Files\AExeo\sybase\OCS-12_0\lib
LOGONSERVER=\\ADDCVM01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Perl\site\bin;C:\Perl\bin;C:\oracle\product\10.2.0\client_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\AExeo\sybase\OCS-12_0\dll;C:\Program Files\cvsnt;C:\Program Files\MySQL\MySQL Server 5.0\bin;c:\cygwin\bin;C:\Perl\site\bin;C:\Perl\bin;C:\oracle\product\10.2.0\client_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\AExeo\sybase\OCS-12_0\dll;C:\Program Files\cvsnt;C:\Program Files\MySQL\MySQL Server 5.0\bin;C:\apache-ant-1.7.0\bin;C:\j2sdk1.4.2_16\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SYBASE=C:\Program Files\AExeo\sybase
SYBASE_OCS=OCS-12_0
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jquizon\LOCALS~1\Temp
TMP=C:\DOCUME~1\jquizon\LOCALS~1\Temp
USERDNSDOMAIN=AD.ENT.CITCO.COM
USERDOMAIN=AD
USERNAME=jquizon
USERPROFILE=C:\Documents and Settings\jquizon
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

aktan (new local, admin, net ready)
jquizon (admin)
jwalker (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B095CD4-555F-4F70-9B90-B1DB84D810ED}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B095CD4-555F-4F70-9B90-B1DB84D810ED}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA32BDBB-A91E-47AB-97F1-4C7007F4953C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA32BDBB-A91E-47AB-97F1-4C7007F4953C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Advanced Query Tool V7.1.7 --> MsiExec.exe /I{3EC9396C-44A3-496F-A60E-88337A97A0C7}
AExeo 3.3 --> MsiExec.exe /X{F141577E-5711-44CD-9ACB-F48EA73D98CD}
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Broadcom ASF Management Applications --> MsiExec.exe /I{27E25625-DB51-42E6-BEB7-0C8DC878770C}
Broadcom Management Programs --> MsiExec.exe /X{C99C0593-3B48-41D9-B42F-6E035B320449}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
CA iTechnology iGateway --> MsiExec.exe /X{4E2EA248-BDE8-4DE7-B51D-D46A2B7581F2}
Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Conexant HDA D330 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen MicroPhoto --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1AEC8F41-4701-415D-9782-F69CFB535463}\SETUP.EXE" -l0x9 /remove
CVSNT --> "C:\Program Files\cvsnt\unins000.exe"
DameWare Mini Remote Control --> MsiExec.exe /I{CD63D4CC-5592-4CFE-BD1A-622B81280F27}
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Dell Touchpad --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect --> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
EMBASSY Security Center --> C:\Program Files\InstallShield Installation Information\{EEAFE1E5-076B-430A-96D9-B567792AFA88}\setup.exe -runfromtemp -l0x0409
EMBASSY Security Setup --> C:\Program Files\InstallShield Installation Information\{53333479-6A52-4816-8497-5C52B67ED339}\setup.exe -runfromtemp -l0x0409
EMBASSY Trust Suite by Wave Systems --> C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe -runfromtemp -l0x0009 -removeonly
ESC Home Page Plugin --> C:\Program Files\InstallShield Installation Information\{E738A392-F690-4A9D-808E-7BAF80E0B398}\setup.exe -runfromtemp -l0x0409
ETS Upgrade --> C:\Program Files\InstallShield Installation Information\{72FECEA1-E87F-4192-89FA-D0FBF92885BB}\setup.exe -runfromtemp -l0x0409
ExamDiff 1.7 --> "C:\Program Files\ExamDiff\unins000.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IntelliSonic Speech Enhancement --> MsiExec.exe /X{D9FCA292-1186-421F-8D93-9A5D272AD5D0}
J2SE Development Kit 5.0 Update 13 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150130}
J2SE Runtime Environment 5.0 Update 13 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150130}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_16 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142160}
Java 2 SDK, SE v1.4.2_16 --> MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142160}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Juniper Networks Host Checker --> "C:\Documents and Settings\jquizon\Application Data\Juniper Networks\Host Checker\uninstall.exe"
Juniper Networks Network Connect 5.5.0 --> "C:\Program Files\Juniper Networks\Network Connect 5.5.0\uninstall.exe"
Juniper Networks Network Connect 6.0.0 --> "C:\Program Files\Juniper Networks\Network Connect 6.0.0\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee AntiSpyware Enterprise Module --> "C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\enuwpie.inf,WebPostUninstall
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Diagnostic Tool --> MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
MySQL Server 5.0 --> MsiExec.exe /I{608FFCC7-7237-47BB-ABD5-8341754A3BBA}
MySQL Tools for 5.0 --> MsiExec.exe /I{EC561602-C0B9-4FAA-A175-1B3273639AC3}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NTRU TCG Software Stack --> MsiExec.exe /I{A618BB0D-8B88-45FF-83CD-783B4AE59AA0}
O2Micro USB Smart Card Reader --> MsiExec.exe /I{9556CFD4-3F7E-4D1C-958B-759703E9CC21}
Oracle Data Provider for .NET Help --> MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
Preboot Manager --> MsiExec.exe /I{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}
PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
PrimoPDF Redistribution Package --> MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
Private Information Manager --> C:\Program Files\InstallShield Installation Information\{0B0A2153-58A6-4244-B458-25EDF5FCD809}\setup.exe -runfromtemp -l0x0409
Python 2.5.1 --> MsiExec.exe /I{31800004-6386-4999-A519-518F2D78D8F0}
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin --> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Secure Update --> C:\Program Files\InstallShield Installation Information\{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}\setup.exe -runfromtemp -l0x0409
Security Wizards --> C:\Program Files\InstallShield Installation Information\{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}\setup.exe -runfromtemp -l0x0409
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SnagIt 7 --> MsiExec.exe /I{4360BB46-507E-4361-8DCB-4FF9BDC9907B}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
TightVNC 1.3.9 --> "C:\Program Files\TightVNC\unins000.exe"
TortoiseCVS --> MsiExec.exe /I{E8F7BA57-94C7-4007-B00E-B4600F96FF31}
tsp patch --> MsiExec.exe /I{24A494F3-5B5F-4183-9F7D-9CE82812C1FC}
upekmsi --> MsiExec.exe /I{FBEC50B7-537C-4A0E-8B0B-F7A8F8BF13CE}
ViceVersa FREE 1.0.3 --> "C:\Program Files\ViceVersa FREE\unins000.exe"
Wave Infrastructure Installer --> MsiExec.exe /I{D31F958E-7353-4DEB-83E8-35B02F2EE20A}
Wave Support Software --> C:\Program Files\InstallShield Installation Information\{07D618CD-B016-438A-ADC9-A75BD23F85CE}\setup.exe -runfromtemp -l0x0409
WinCvs 2.0 --> "C:\Program Files\GNU\WinCvs 2.0\unins000.exe"
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\pbadrv_40CD90DE1AD5BDAF5E2676750520DB94FDE3886E\pbadrv.inf
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\oz776_ECA62BF451D0A6F7B3E38E62F6FA5166CAF54FCE\oz776.inf
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.0.5 --> "C:\Program Files\WinSCP\unins000.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3186 / Error
Event Submitted/Written: 08/03/2008 10:48:10 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type3184 / Error
Event Submitted/Written: 08/03/2008 10:47:23 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script SafebootDetection.vbs. The system cannot find the file specified.
.

Event Record #/Type3183 / Error
Event Submitted/Written: 08/03/2008 10:47:23 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script CA-servicesStartup.bat. The system cannot find the file specified.
.

Event Record #/Type3182 / Error
Event Submitted/Written: 08/03/2008 10:47:23 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script SDO_install_script.vbs. The system cannot find the file specified.
.

Event Record #/Type3181 / Error
Event Submitted/Written: 08/03/2008 10:47:23 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script Mcafee_CMA_deployment.vbs. The system cannot find the file specified.
.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8969 / Error
Event Submitted/Written: 08/03/2008 11:34:54 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 59 minutes.
NtpClient has no source of accurate time.

Event Record #/Type8968 / Warning
Event Submitted/Written: 08/03/2008 11:34:54 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 60 minutes.

Event Record #/Type8967 / Warning
Event Submitted/Written: 08/03/2008 11:05:38 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {4B57F119-EE85-45A3-8C05-A1E93B13EC67}

Host Name : SNG2NB005

Primary Domain Suffix : ad.ent.citco.com

DNS server list :

202.156.1.58, 218.186.1.38, 202.156.1.38

Sent update to server : <?>

IP Address(es) :

192.168.1.100


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (:) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type8966 / Error
Event Submitted/Written: 08/03/2008 11:04:54 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type8965 / Warning
Event Submitted/Written: 08/03/2008 11:04:54 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.



-- End of Deckard's System Scanner: finished at 2008-08-04 00:25:22 ------------


Thanks a lot!
sgpilgrim08

BC AdBot (Login to Remove)

 


#2 sgpilgrim08

sgpilgrim08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 07 August 2008 - 03:36 AM

Here is a copy of the Kaspersky online scanner report
(3)
==KASPERSKY ONLINE SCANNER 7 REPORT==
Tuesday, August 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 09:57:38
Records in database: 1052395
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
P:\
R:\
S:\
Scan statistics
Files scanned 182714
Threat name 9
Infected objects 72
Suspicious objects 0
Duration of the scan 03:12:09

File name Threat name Threats count
C:\WINDOWS\system32\gmhyjj.dll/C:\WINDOWS\system32\gmhyjj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 54
C:\WINDOWS\System32\gmhyjj.dll/C:\WINDOWS\System32\gmhyjj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 5
C:\Deckard\System Scanner\backup\DOCUME~1\jquizon\LOCALS~1\Temp\.tt80.tmp Infected: not-a-virus:FraudTool.Win32.XPAntivirus.nf 1
C:\Deckard\System Scanner\backup\DOCUME~1\jquizon\LOCALS~1\Temp\DRDld\5.1.0.272f-5.1.0.272-sdregnow.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1
C:\Deckard\System Scanner\backup\DOCUME~1\jquizon\LOCALS~1\Temp\sfsrv.exe.txt Infected: Trojan.Win32.Pakes.jyl 1
C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\JN7DH3KQ\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.jke 1
C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\JN7DH3KQ\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.jkd 1
C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\O7896TC9\15[1].exe Infected: Trojan-Downloader.Win32.Small.zjg 1
C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\O7896TC9\install[1].exe Infected: Trojan.Win32.Pakes.jyl 1
C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\O7896TC9\kb456456[1] Infected: Trojan.Win32.Monder.bwu 1
C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\RBY5G3NN\kb767887[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1
C:\Documents and Settings\jquizon\My Documents\Software Utilities\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\WINDOWS\system32\gmhyjj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1
C:\WINDOWS\system32\jalscwei.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1
C:\WINDOWS\system32\kxenhomj.dll Infected: Trojan.Win32.Monder.bwu 1
The selected area was scanned.

I really hope someone can help me with this.

Thanks

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:12:37 AM

Posted 11 August 2008 - 01:31 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#4 sgpilgrim08

sgpilgrim08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 11 August 2008 - 10:00 AM

Hi Snowhite,

Thank you for answering my post.

I still have not been able to solve my problem. Hope that you can guide me thru to a clean pc :thumbsup:

Here is the DSS logs:
(1) Main.txt

Deckard's System Scanner v20071014.68
Run by jquizon on 2008-08-11 22:47:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


Performed disk cleanup.



-- HijackThis (run as jquizon.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:30 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
c:\my files\downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jquizon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://CFSTODAY
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {b9c42202-6a8b-5418-fd64-3d68418f0bc7} - {7cb0f814-86d3-46df-8145-b8a620224c9b} - C:\WINDOWS\system32\gmhyjj.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SBEVMON.EXE] C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE -WinLogon
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [UniGateway] msiexec.exe /qn /X{4E2EA248-BDE8-4DE7-B51D-D46A2B7581F2}
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [StartMS] C:\Program Files\Creative\Shared Files\Media Sniffer\Startms.exe /s
O4 - HKCU\..\RunOnce: [Inetreg] "C:\Program Files\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://CFSTODAY
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2886DF1C-0350-4B6A-84ED-E550E37A2D6E} (AExeoInstall Control) - file://\\jrc1msfs01\emphasis\Install\WebDeploy\BDE_Selector\bin\AExeoInstallProj.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn-eu.citco.com/dana-cached/setup/...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.ent.citco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.ent.citco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.ent.citco.com
O20 - AppInit_DLLs: karina.dat gmhyjj.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11243 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PBADRV - c:\windows\system32\drivers\pbadrv.sys <Not Verified; Dell Inc; Application Driver>
R0 SafeBoot - c:\windows\system32\drivers\safeboot.sys
R0 SBAlg - c:\windows\system32\drivers\sbalg.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SBAlg01 - c:\windows\system32\drivers\sbalg01.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SBAlg12 - c:\windows\system32\drivers\sbalg12.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SbEncVol - c:\windows\system32\drivers\sbencvol.sys <Not Verified; Control Break International; SafeBoot VDisk>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 RsvLock - c:\windows\system32\drivers\rsvlock.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SBFlop - c:\windows\system32\drivers\sbflop.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SbPrcCtl - c:\windows\system32\drivers\sbprcctl.sys <Not Verified; Control Break International; SafeBoot Security System>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 DXEC01 - c:\windows\system32\drivers\dxec01.sys <Not Verified; Knowles Acoustics; DXEC.01 Speech Enhancement>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 iGateway (iTechnology iGateway 4.0) - "c:\program files\ca\sharedcomponents\itechnology\igateway.exe" <Not Verified; Computer Associates International, Inc.; iTechnology iGateway>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 SafeBootConfigurationManager (SafeBoot Configuration Manager) - c:\program files\safeboot\sbmgrnt.exe <Not Verified; Control Break International; SafeBoot Security System>
R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
R2 tcsd_win32.exe (NTRU TSS v1.2.1.12 TCS) - "c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S3 DSBrokerService - "c:\program files\dellsupport\brkrsvc.exe" <Not Verified; ; Gteko BrkrSvc Application>
S3 MySQL51 - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql51 (file missing)
S3 SecureStorageService - "c:\program files\wave systems corp\secure storage manager\securestorageservice.exe" <Not Verified; Wave Systems Corp.; Secure Storage Manager>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 768)
2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 1024)
2008-08-01 21:32:57 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll

C:\WINDOWS\system32\svchost.exe (pid 1140)
2008-08-01 21:32:57 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll
2007-01-31 20:15:20 212992 --a------ C:\WINDOWS\system32\biolsp.dll <Not Verified; Wave Systems Corp.; Authentication Manager>
2005-08-29 20:47:36 344064 --a------ C:\oracle\product\10.2.0\client_1\BIN\oci.dll <Not Verified; Oracle Corporation; >

C:\WINDOWS\system32\svchost.exe (pid 704)
2008-08-01 21:32:57 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll
2006-05-12 06:15:50 52736 --a------ C:\WINDOWS\system32\HPZIPM12.DLL <Not Verified; Hewlett-Packard; Bidi User Mode>

C:\WINDOWS\system32\svchost.exe (pid 1692)
2008-08-01 21:32:57 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll

C:\WINDOWS\explorer.exe (pid 2628)
2007-03-15 21:50:36 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll <Not Verified; www.tortoisecvs.org; TortoiseCVS TortoiseShell>
2007-10-25 15:06:00 106496 --a------ C:\Program Files\McAfee\Common Framework\JrMac.dll <Not Verified; McAfee, Inc.; McAfee Common Framework>
2007-01-31 20:15:20 212992 --a------ C:\WINDOWS\system32\biolsp.dll <Not Verified; Wave Systems Corp.; Authentication Manager>
2007-05-14 14:24:00 98304 --a------ C:\Program Files\Dell\QuickSet\dadkeyb.dll
2008-05-13 10:13:36 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2008-08-01 21:32:57 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll
2000-04-19 14:00:00 24644 --a------ C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2005-09-23 07:28:38 83456 --a------ C:\WINDOWS\system32\dfshim.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:52 270848 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:56 107520 --a------ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\shfusion.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:50 9216 --a------ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fusion.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:58 17920 --a------ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Culture.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:29:00 85504 --a------ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>

C:\WINDOWS\system32\svchost.exe (pid 3892)
2008-08-01 21:32:57 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll


-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-04 00:20:54 0 d-------- C:\Program Files\Trend Micro
2008-08-02 12:40:04 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 12:22:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 21:32:58 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll
2008-08-01 21:32:53 129920 --a------ C:\WINDOWS\system32\jalscwei.dll
2008-08-01 21:32:43 99200 --a------ C:\WINDOWS\system32\kxenhomj.dll
2008-08-01 21:25:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 21:24:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 21:24:44 0 d-------- C:\Documents and Settings\jquizon\Application Data\SUPERAntiSpyware.com
2008-08-01 20:36:31 0 d-------- C:\VundoFix Backups
2008-07-31 06:31:09 0 d-------- C:\Documents and Settings\jquizon\Application Data\Malwarebytes
2008-07-31 06:30:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 06:30:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 23:44:33 0 d-------- C:\Quarantine


-- Find3M Report ---------------------------------------------------------------

2008-08-11 22:40:32 0 d-------- C:\Documents and Settings\jquizon\Application Data\Wave Systems Corp
2008-08-02 12:40:04 0 d-------- C:\Program Files\Common Files
2008-08-01 21:24:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-30 23:47:43 3535151 --a------ C:\WINDOWS\system32\Xpportlog-standard
2008-07-30 23:36:51 3408061 --a------ C:\WINDOWS\system32\XPPortlog


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7cb0f814-86d3-46df-8145-b8a620224c9b}]
08/01/2008 09:32 PM 129920 --a------ C:\WINDOWS\system32\gmhyjj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [01/25/2007 02:34 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [05/18/2007 11:45 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [05/18/2007 11:45 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [05/18/2007 11:45 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [05/14/2007 02:23 PM]
"SigmatelSysTrayApp"="stsystra.exe" [02/18/2007 11:26 PM C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [01/30/2007 03:32 PM]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [01/22/2007 11:53 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [07/25/2007 04:32 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [07/25/2007 04:30 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 09:00 AM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 05:23 PM]
"SBEVMON.EXE"="C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.exe" [10/30/2007 01:46 PM]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [10/30/2007 01:46 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [10/25/2007 03:06 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [05/12/2008 03:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 12:09 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"StartMS"=C:\Program Files\Creative\Shared Files\Media Sniffer\Startms.exe /s
"Inetreg"="C:\Program Files\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
"FlashPlayerUpdate"=C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"UniGateway"=msiexec.exe /qn /X{4E2EA248-BDE8-4DE7-B51D-D46A2B7581F2}

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [1/11/2007 8:43:46 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/23/2007 2:53:16 AM]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [10/26/2007 3:29:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"dontdisplaylockeduserid"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRunOnce"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"DisableCurrentUserRunOnce"=1 (0x1)
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=karina.dat gmhyjj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\nnnmkIXR

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=ADD-DomainAdmins.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\0\0]
"Script"=Mcafee_CMA_deployment.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-08-11 22:50:33 ------------

(2) and here is the Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
CPU 1: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 1014.04 MiB / 377.95 MiB
Pagefile Memory (total/avail): 2440.85 MiB / 1782.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1910.29 MiB

C: is Fixed (NTFS) - 74.47 GiB total, 46.06 GiB free.
D: is CDROM (No Media)
P: is Network (*NT5CSC)
R: is Network (Unformatted)
S: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - Hitachi HTS541680J9SA00 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: VirusScan Enterprise + AntiSpyware Enterprise v8.5.0.781 (McAfee, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"="C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe:*:Enabled:igateway"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\jquizon\\Local Settings\\Temp\\OraInstall2007-12-24_10-46-26AM\\jre\\1.4.2\\bin\\javaw.exe"="C:\\Documents and Settings\\jquizon\\Local Settings\\Temp\\OraInstall2007-12-24_10-46-26AM\\jre\\1.4.2\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\eclipse\\eclipse.exe"="C:\\eclipse\\eclipse.exe:*:Disabled:eclipse"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Disabled:File Transfer Program"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\j2sdk1.4.2_16\\bin\\javaw.exe"="C:\\j2sdk1.4.2_16\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\AExeo\\AExeo 3.6\\SecurityExplorer360p7.exe"="C:\\Program Files\\AExeo\\AExeo 3.6\\SecurityExplorer360p7.exe:*:Disabled:Æxeo Security Explorer"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
ANT_HOME=C:\apache-ant-1.7.0
APPDATA=C:\Documents and Settings\jquizon\Application Data
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CLASSPATH=.;C:\CVS_PROJECTS\build\third_party\libext;C:\tomcat\server\lib;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SNG2NB005
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jquizon
HOMESHARE=\\sng3msfs01ab\Home$
IGW_LOC=C:\Program Files\CA\SharedComponents\iTechnology\
INCLUDE=C:\Program Files\AExeo\sybase\OCS-12_0\include
JAVA_HOME=C:\j2sdk1.4.2_16
LIB=C:\Program Files\AExeo\sybase\OCS-12_0\lib
LOGONSERVER=\\ADDCVM01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Perl\site\bin;C:\Perl\bin;C:\oracle\product\10.2.0\client_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\AExeo\sybase\OCS-12_0\dll;C:\Program Files\cvsnt;C:\Program Files\MySQL\MySQL Server 5.0\bin;c:\cygwin\bin;C:\Perl\site\bin;C:\Perl\bin;C:\oracle\product\10.2.0\client_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\AExeo\sybase\OCS-12_0\dll;C:\Program Files\cvsnt;C:\Program Files\MySQL\MySQL Server 5.0\bin;C:\apache-ant-1.7.0\bin;C:\j2sdk1.4.2_16\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SYBASE=C:\Program Files\AExeo\sybase
SYBASE_OCS=OCS-12_0
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jquizon\LOCALS~1\Temp
TMP=C:\DOCUME~1\jquizon\LOCALS~1\Temp
USERDNSDOMAIN=AD.ENT.CITCO.COM
USERDOMAIN=AD
USERNAME=jquizon
USERPROFILE=C:\Documents and Settings\jquizon
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

aktan (new local, admin, net ready)
jquizon (admin)
jwalker (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B095CD4-555F-4F70-9B90-B1DB84D810ED}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B095CD4-555F-4F70-9B90-B1DB84D810ED}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA32BDBB-A91E-47AB-97F1-4C7007F4953C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA32BDBB-A91E-47AB-97F1-4C7007F4953C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Advanced Query Tool V7.1.7 --> MsiExec.exe /I{3EC9396C-44A3-496F-A60E-88337A97A0C7}
AExeo 3.3 --> MsiExec.exe /X{F141577E-5711-44CD-9ACB-F48EA73D98CD}
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Broadcom ASF Management Applications --> MsiExec.exe /I{27E25625-DB51-42E6-BEB7-0C8DC878770C}
Broadcom Management Programs --> MsiExec.exe /X{C99C0593-3B48-41D9-B42F-6E035B320449}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
CA iTechnology iGateway --> MsiExec.exe /X{4E2EA248-BDE8-4DE7-B51D-D46A2B7581F2}
Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Conexant HDA D330 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen MicroPhoto --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1AEC8F41-4701-415D-9782-F69CFB535463}\SETUP.EXE" -l0x9 /remove
CVSNT --> "C:\Program Files\cvsnt\unins000.exe"
DameWare Mini Remote Control --> MsiExec.exe /I{CD63D4CC-5592-4CFE-BD1A-622B81280F27}
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Dell Touchpad --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect --> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
EMBASSY Security Center --> C:\Program Files\InstallShield Installation Information\{EEAFE1E5-076B-430A-96D9-B567792AFA88}\setup.exe -runfromtemp -l0x0409
EMBASSY Security Setup --> C:\Program Files\InstallShield Installation Information\{53333479-6A52-4816-8497-5C52B67ED339}\setup.exe -runfromtemp -l0x0409
EMBASSY Trust Suite by Wave Systems --> C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe -runfromtemp -l0x0009 -removeonly
ESC Home Page Plugin --> C:\Program Files\InstallShield Installation Information\{E738A392-F690-4A9D-808E-7BAF80E0B398}\setup.exe -runfromtemp -l0x0409
ETS Upgrade --> C:\Program Files\InstallShield Installation Information\{72FECEA1-E87F-4192-89FA-D0FBF92885BB}\setup.exe -runfromtemp -l0x0409
ExamDiff 1.7 --> "C:\Program Files\ExamDiff\unins000.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IntelliSonic Speech Enhancement --> MsiExec.exe /X{D9FCA292-1186-421F-8D93-9A5D272AD5D0}
J2SE Development Kit 5.0 Update 13 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150130}
J2SE Runtime Environment 5.0 Update 13 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150130}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_16 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142160}
Java 2 SDK, SE v1.4.2_16 --> MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142160}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Juniper Networks Host Checker --> "C:\Documents and Settings\jquizon\Application Data\Juniper Networks\Host Checker\uninstall.exe"
Juniper Networks Network Connect 5.5.0 --> "C:\Program Files\Juniper Networks\Network Connect 5.5.0\uninstall.exe"
Juniper Networks Network Connect 6.0.0 --> "C:\Program Files\Juniper Networks\Network Connect 6.0.0\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee AntiSpyware Enterprise Module --> "C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\enuwpie.inf,WebPostUninstall
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Diagnostic Tool --> MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
MySQL Server 5.0 --> MsiExec.exe /I{608FFCC7-7237-47BB-ABD5-8341754A3BBA}
MySQL Tools for 5.0 --> MsiExec.exe /I{EC561602-C0B9-4FAA-A175-1B3273639AC3}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NTRU TCG Software Stack --> MsiExec.exe /I{A618BB0D-8B88-45FF-83CD-783B4AE59AA0}
O2Micro USB Smart Card Reader --> MsiExec.exe /I{9556CFD4-3F7E-4D1C-958B-759703E9CC21}
Oracle Data Provider for .NET Help --> MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
Preboot Manager --> MsiExec.exe /I{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}
PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
PrimoPDF Redistribution Package --> MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
Private Information Manager --> C:\Program Files\InstallShield Installation Information\{0B0A2153-58A6-4244-B458-25EDF5FCD809}\setup.exe -runfromtemp -l0x0409
Python 2.5.1 --> MsiExec.exe /I{31800004-6386-4999-A519-518F2D78D8F0}
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin --> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Secure Update --> C:\Program Files\InstallShield Installation Information\{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}\setup.exe -runfromtemp -l0x0409
Security Wizards --> C:\Program Files\InstallShield Installation Information\{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}\setup.exe -runfromtemp -l0x0409
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SnagIt 7 --> MsiExec.exe /I{4360BB46-507E-4361-8DCB-4FF9BDC9907B}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
TightVNC 1.3.9 --> "C:\Program Files\TightVNC\unins000.exe"
TortoiseCVS --> MsiExec.exe /I{E8F7BA57-94C7-4007-B00E-B4600F96FF31}
tsp patch --> MsiExec.exe /I{24A494F3-5B5F-4183-9F7D-9CE82812C1FC}
upekmsi --> MsiExec.exe /I{FBEC50B7-537C-4A0E-8B0B-F7A8F8BF13CE}
ViceVersa FREE 1.0.3 --> "C:\Program Files\ViceVersa FREE\unins000.exe"
Wave Infrastructure Installer --> MsiExec.exe /I{D31F958E-7353-4DEB-83E8-35B02F2EE20A}
Wave Support Software --> C:\Program Files\InstallShield Installation Information\{07D618CD-B016-438A-ADC9-A75BD23F85CE}\setup.exe -runfromtemp -l0x0409
WinCvs 2.0 --> "C:\Program Files\GNU\WinCvs 2.0\unins000.exe"
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\pbadrv_40CD90DE1AD5BDAF5E2676750520DB94FDE3886E\pbadrv.inf
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\oz776_ECA62BF451D0A6F7B3E38E62F6FA5166CAF54FCE\oz776.inf
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.0.5 --> "C:\Program Files\WinSCP\unins000.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3255 / Error
Event Submitted/Written: 08/11/2008 10:47:52 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type3252 / Error
Event Submitted/Written: 08/11/2008 10:39:20 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type3251 / Error
Event Submitted/Written: 08/11/2008 10:39:07 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script SafebootDetection.vbs. The system cannot find the file specified.
.

Event Record #/Type3250 / Error
Event Submitted/Written: 08/11/2008 10:39:07 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script CA-servicesStartup.bat. The system cannot find the file specified.
.

Event Record #/Type3249 / Error
Event Submitted/Written: 08/11/2008 10:39:06 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script SDO_install_script.vbs. The system cannot find the file specified.
.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9155 / Error
Event Submitted/Written: 08/11/2008 10:40:55 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type9154 / Warning
Event Submitted/Written: 08/11/2008 10:40:55 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type9140 / Warning
Event Submitted/Written: 08/11/2008 10:38:36 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type9128 / Error
Event Submitted/Written: 08/11/2008 10:38:19 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain AD due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type9123 / Error
Event Submitted/Written: 08/05/2008 03:49:19 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-08-11 22:50:33 ------------


i'll post the Kaspersky log once its done.

Thanks a bunch,
sqpilgrim08

#5 sgpilgrim08

sgpilgrim08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 11 August 2008 - 06:23 PM

(3) And here's the Kaspersky report

Tuesday, August 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 15:00:04
Records in database: 1082609


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
P:\
R:\
S:\

Scan statistics
Files scanned 183493
Threat name 9
Infected objects 76
Suspicious objects 0
Duration of the scan 03:23:47

File name Threat name Threats count
C:\WINDOWS\system32\gmhyjj.dll/C:\WINDOWS\system32\gmhyjj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 58

C:\WINDOWS\System32\gmhyjj.dll/C:\WINDOWS\System32\gmhyjj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 5

C:\Deckard\System Scanner\20080811224637\backup\DOCUME~1\jquizon\LOCALS~1\Temp\.tt80.tmp Infected: not-a-virus:FraudTool.Win32.XPAntivirus.nf 1

C:\Deckard\System Scanner\20080811224637\backup\DOCUME~1\jquizon\LOCALS~1\Temp\DRDld\5.1.0.272f-5.1.0.272-sdregnow.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1

C:\Deckard\System Scanner\20080811224637\backup\DOCUME~1\jquizon\LOCALS~1\Temp\sfsrv.exe.txt Infected: Trojan.Win32.Pakes.jyl 1

C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\JN7DH3KQ\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.jke 1

C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\JN7DH3KQ\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.jkd 1

C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\O7896TC9\15[1].exe Infected: Trojan-Downloader.Win32.Small.zjg 1

C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\O7896TC9\install[1].exe Infected: Trojan.Win32.Pakes.jyl 1

C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\O7896TC9\kb456456[1] Infected: Trojan.Win32.Monder.bwu 1

C:\Documents and Settings\jquizon\Local Settings\Temporary Internet Files\Content.IE5\RBY5G3NN\kb767887[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

C:\Documents and Settings\jquizon\My Documents\Software Utilities\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1

C:\WINDOWS\system32\gmhyjj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

C:\WINDOWS\system32\jalscwei.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

C:\WINDOWS\system32\kxenhomj.dll Infected: Trojan.Win32.Monder.bwu 1

The selected area was scanned.


Thanks,
sqpilgrim08

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:12:37 AM

Posted 14 August 2008 - 12:34 AM

Hello again sgpilgrim08 :thumbsup:

Lets proceed with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Regards
SNOWHITE
Posted Image

#7 sgpilgrim08

sgpilgrim08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 15 August 2008 - 07:50 PM

(4) Here is the Combo Fix log


ComboFix 08-08-14.05 - Administrator 2008-08-16 8:29:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.428 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\eiujsdtv.ini
C:\WINDOWS\system32\gmhyjj.dll
C:\WINDOWS\system32\jalscwei.dll
C:\WINDOWS\system32\jmohnexk.ini
C:\WINDOWS\system32\kxenhomj.dll
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-16 08:03 . 2008-08-16 08:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Dell
2008-08-04 00:20 . 2008-08-04 00:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Deckard
2008-08-02 12:40 . 2008-08-02 12:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 12:22 . 2008-08-02 12:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 21:25 . 2008-08-01 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 21:24 . 2008-08-01 21:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 21:24 . 2008-08-01 21:24 <DIR> d-------- C:\Documents and Settings\jquizon\Application Data\SUPERAntiSpyware.com
2008-08-01 20:36 . 2008-08-01 20:36 <DIR> d-------- C:\VundoFix Backups
2008-07-31 06:31 . 2008-07-31 06:31 <DIR> d-------- C:\Documents and Settings\jquizon\Application Data\Malwarebytes
2008-07-31 06:30 . 2008-07-31 06:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 06:30 . 2008-07-31 06:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 06:30 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 06:30 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 23:44 . 2008-08-16 08:25 <DIR> d-------- C:\Quarantine
2008-07-30 23:44 . 2008-07-30 23:44 34,176 --a------ C:\WINDOWS\system32\iifgEttr.dll.vir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 00:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
2008-08-15 23:58 --------- d-----w C:\Documents and Settings\jquizon\Application Data\Wave Systems Corp
2008-08-01 13:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 12:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 02:34 159744]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-18 11:45 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-18 11:45 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-18 11:45 138008]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 14:23 1191936]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 15:32 102400]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 11:53 212992]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 09:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 17:23 118784]
"SBEVMON.EXE"="C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-30 13:46 176128]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.EXE" [2007-10-30 13:46 49212]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 15:06 136512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-12 15:30 111952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-18 23:26 303104 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-11 20:43:46 2150400]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-10-23 02:53:16 50688]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-10-26 15:29:40 12390]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"dontdisplaylockeduserid"= 3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karina.dat gmhyjj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=ADD-DomainAdmins.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\0\0]
"Script"=Mcafee_CMA_deployment.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot

R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2006-08-28 15:00]
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-10-30 13:46]
R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys [2007-10-30 13:46]
R0 SBAlg01;SBAlg01;C:\WINDOWS\system32\drivers\SBAlg01.sys [2007-10-30 13:46]
R0 SBAlg12;SBAlg12;C:\WINDOWS\system32\drivers\SBAlg12.sys [2007-10-30 13:46]
R0 SbEncVol;SbEncVol;C:\WINDOWS\system32\drivers\SbEncVol.sys [2007-10-30 13:46]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-10-30 13:46]
R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys [2007-10-30 13:46]
R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys [2007-10-30 13:46]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 14:21]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE [2007-10-30 13:46]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-08-24 04:21]
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 12:32]
S3 MySQL51;MySQL51;C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=C:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL51 []
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-01-29 21:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{28030FA8-2428-4DE6-B0F3-CE9494E1A412} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hv3n8q5u.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 08:35:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL51"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Completion time: 2008-08-16 8:43:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-16 00:43:07

Pre-Run: 49,148,809,216 bytes free
Post-Run: 49,338,527,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

198


Thanks,
sgpilgrim08

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:12:37 AM

Posted 20 August 2008 - 03:50 AM

Hello again sgpilgrim08 and sorry for the delay,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\iifgEttr.dll.vir

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

    J2SE Runtime Environment 5.0 Update 13
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_16
    Java 2 SDK, SE v1.4.2_16
    Java™ 6 Update 3
    Java™ 6 Update 5



  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

In your next post please include the following reports:
- Combofix report
- F-Secure report
- New HijackThis report
Let me know of any remaining problems.
SNOWHITE
Posted Image

#9 sgpilgrim08

sgpilgrim08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 21 August 2008 - 11:47 AM

Hi SNOWHITE,

Thanks for the reply.

Was worried though that i'd be hearing you much later.

Anyways, i was not able to run F-Secure because it's telling me that the downloaded database is corrupted. Tried it a couple of times but no luck.

(5) I'm attaching the ComboFix log for the meantime.

ComboFix 08-08-19.06 - Administrator 2008-08-21 23:24:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.470 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\iifgEttr.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\iifgEttr.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-16 08:03 . 2008-08-16 08:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Dell
2008-08-04 00:20 . 2008-08-04 00:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Deckard
2008-08-02 12:40 . 2008-08-02 12:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 12:22 . 2008-08-02 12:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 21:25 . 2008-08-01 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 21:24 . 2008-08-01 21:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 21:24 . 2008-08-01 21:24 <DIR> d-------- C:\Documents and Settings\jquizon\Application Data\SUPERAntiSpyware.com
2008-08-01 20:36 . 2008-08-01 20:36 <DIR> d-------- C:\VundoFix Backups
2008-07-31 06:31 . 2008-07-31 06:31 <DIR> d-------- C:\Documents and Settings\jquizon\Application Data\Malwarebytes
2008-07-31 06:30 . 2008-07-31 06:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 06:30 . 2008-07-31 06:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 06:30 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 06:30 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 23:44 . 2008-08-21 23:24 <DIR> d-------- C:\Quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 15:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
2008-08-15 23:58 --------- d-----w C:\Documents and Settings\jquizon\Application Data\Wave Systems Corp
2008-08-01 13:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 12:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 02:34 159744]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-18 11:45 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-18 11:45 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-18 11:45 138008]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 14:23 1191936]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 15:32 102400]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 11:53 212992]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 09:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 17:23 118784]
"SBEVMON.EXE"="C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-30 13:46 176128]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.EXE" [2007-10-30 13:46 49212]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 15:06 136512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-12 15:30 111952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-18 23:26 303104 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-11 20:43:46 2150400]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-10-23 02:53:16 50688]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-10-26 15:29:40 12390]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"dontdisplaylockeduserid"= 3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=ADD-DomainAdmins.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\0\0]
"Script"=Mcafee_CMA_deployment.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot

R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2006-08-28 15:00]
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-10-30 13:46]
R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys [2007-10-30 13:46]
R0 SBAlg01;SBAlg01;C:\WINDOWS\system32\drivers\SBAlg01.sys [2007-10-30 13:46]
R0 SBAlg12;SBAlg12;C:\WINDOWS\system32\drivers\SBAlg12.sys [2007-10-30 13:46]
R0 SbEncVol;SbEncVol;C:\WINDOWS\system32\drivers\SbEncVol.sys [2007-10-30 13:46]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-10-30 13:46]
R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys [2007-10-30 13:46]
R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys [2007-10-30 13:46]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 14:21]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE [2007-10-30 13:46]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-08-24 04:21]
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 12:32]
S3 MySQL51;MySQL51;C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=C:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL51 []
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-01-29 21:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 23:30:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL51"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Completion time: 2008-08-21 23:38:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-21 15:38:15
ComboFix2.txt 2008-08-16 00:43:15

Pre-Run: 49,328,898,048 bytes free
Post-Run: 49,310,912,512 bytes free

179

Hope to hear from you soon on what should i do with F-Secure.

Thanks
sgpilgrim08

#10 sgpilgrim08

sgpilgrim08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 August 2008 - 09:15 AM

Hi SNOWHITE,

I was able to get F-Secure to run and finally here is the log reports.

(6) F-Secure Report

Scanning Report
Friday, August 22, 2008 18:30:20 - 21:58:04

Computer name: SNG2NB005
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 7 malware found
TrackingCookie.Adrevolver (spyware)

* System

TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Specificclick (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Statistics
Scanned:

* Files: 83510
* System: 3956
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 7
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SAFEBOOT.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Blacklight: 1.0.68
* F-Secure Hydra: 2.8.8110, 2008-08-21
* F-Secure Pegasus: 1.20.0, 2008-04-15
* F-Secure AVP: 7.0.171, 2008-08-21

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


(7) Main.txt

Deckard's System Scanner v20071014.68
Run by jquizon on 2008-08-22 22:04:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


Performed disk cleanup.



-- HijackThis (run as jquizon.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:54 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
c:\my files\downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jquizon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SBEVMON.EXE] C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE -WinLogon
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [StartMS] C:\Program Files\Creative\Shared Files\Media Sniffer\Startms.exe /s
O4 - HKCU\..\RunOnce: [Inetreg] "C:\Program Files\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://CFSTODAY
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2886DF1C-0350-4B6A-84ED-E550E37A2D6E} (AExeoInstall Control) - file://\\jrc1msfs01\emphasis\Install\WebDeploy\BDE_Selector\bin\AExeoInstallProj.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn-eu.citco.com/dana-cached/setup/...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.ent.citco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.ent.citco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.ent.citco.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11150 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PBADRV - c:\windows\system32\drivers\pbadrv.sys <Not Verified; Dell Inc; Application Driver>
R0 SafeBoot - c:\windows\system32\drivers\safeboot.sys
R0 SBAlg - c:\windows\system32\drivers\sbalg.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SBAlg01 - c:\windows\system32\drivers\sbalg01.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SBAlg12 - c:\windows\system32\drivers\sbalg12.sys <Not Verified; Control Break International; SafeBoot Security System>
R0 SbEncVol - c:\windows\system32\drivers\sbencvol.sys <Not Verified; Control Break International; SafeBoot VDisk>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 RsvLock - c:\windows\system32\drivers\rsvlock.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SBFlop - c:\windows\system32\drivers\sbflop.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SbPrcCtl - c:\windows\system32\drivers\sbprcctl.sys <Not Verified; Control Break International; SafeBoot Security System>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 DXEC01 - c:\windows\system32\drivers\dxec01.sys <Not Verified; Knowles Acoustics; DXEC.01 Speech Enhancement>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 SafeBootConfigurationManager (SafeBoot Configuration Manager) - c:\program files\safeboot\sbmgrnt.exe <Not Verified; Control Break International; SafeBoot Security System>
R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
R2 tcsd_win32.exe (NTRU TSS v1.2.1.12 TCS) - "c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S3 DSBrokerService - "c:\program files\dellsupport\brkrsvc.exe" <Not Verified; ; Gteko BrkrSvc Application>
S3 MySQL51 - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql51 (file missing)
S3 SecureStorageService - "c:\program files\wave systems corp\secure storage manager\securestorageservice.exe" <Not Verified; Wave Systems Corp.; Secure Storage Manager>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 772)
2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 1144)
2007-01-31 20:15:20 212992 --a------ C:\WINDOWS\system32\biolsp.dll <Not Verified; Wave Systems Corp.; Authentication Manager>
2005-08-29 20:47:36 344064 --a------ C:\oracle\product\10.2.0\client_1\BIN\oci.dll <Not Verified; Oracle Corporation; >

C:\WINDOWS\system32\svchost.exe (pid 628)
2006-05-12 06:15:50 52736 --a------ C:\WINDOWS\system32\HPZIPM12.DLL <Not Verified; Hewlett-Packard; Bidi User Mode>

C:\WINDOWS\explorer.exe (pid 3992)
2007-03-15 21:50:36 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll <Not Verified; www.tortoisecvs.org; TortoiseCVS TortoiseShell>
2008-05-13 10:13:36 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2007-10-25 15:06:00 106496 --a------ C:\Program Files\McAfee\Common Framework\JrMac.dll <Not Verified; McAfee, Inc.; McAfee Common Framework>
2007-02-27 12:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
2007-01-31 20:15:20 212992 --a------ C:\WINDOWS\system32\biolsp.dll <Not Verified; Wave Systems Corp.; Authentication Manager>
2000-04-19 14:00:00 24644 --a------ C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2007-09-21 07:34:58 129024 --a------ C:\Program Files\WinRAR\RarExt.dll
2003-10-30 05:59:02 49152 --a------ C:\Program Files\TextPad 4\system\shellext.dll <Not Verified; Helios Software Solutions; TextPad Add-On>
2005-10-14 07:25:00 110592 --a------ C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll <Not Verified; TechSmith Corporation; SnagIt>
2007-10-30 13:46:29 69632 --a------ C:\Program Files\SafeBoot\FileEnc\SBSHELL.DLL <Not Verified; Control Break International; SafeBoot File Encryptor>
2007-01-30 15:32:50 143360 --a------ C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\ContextMenuItem.dll <Not Verified; Wave Systems Corp.; Document Manager>
2007-01-30 15:32:06 552960 --a------ C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\VaultServer.dll <Not Verified; Wave Systems Corp; VaultServer Dynamic Link Library>
2007-01-30 15:31:50 286720 --a------ C:\WINDOWS\system32\wxvault.dll <Not Verified; ; wxvault Dynamic Link Library>
2007-01-30 15:30:30 4096 --a------ C:\WINDOWS\system32\detoured.dll
2007-05-14 14:24:00 98304 --a------ C:\Program Files\Dell\QuickSet\dadkeyb.dll


-- Files created between 2008-07-22 and 2008-08-22 -----------------------------

2008-08-22 00:06:23 0 d-------- C:\fsaua.data
2008-08-22 00:02:37 0 d-------- C:\Program Files\Common Files\Java
2008-08-22 00:01:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-08-16 08:29:03 0 d-------- C:\cmdcons
2008-08-16 08:26:12 68096 --a------ C:\WINDOWS\zip.exe
2008-08-16 08:26:12 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-16 08:26:12 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-16 08:26:12 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-16 08:26:12 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-16 08:26:12 98816 --a------ C:\WINDOWS\sed.exe
2008-08-16 08:26:12 80412 --a------ C:\WINDOWS\grep.exe
2008-08-16 08:26:12 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-16 08:10:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-08-16 08:09:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-08-16 08:09:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-08-16 08:03:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Dell
2008-08-04 00:20:54 0 d-------- C:\Program Files\Trend Micro
2008-08-02 12:40:04 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 12:22:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 21:25:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 21:24:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 21:24:44 0 d-------- C:\Documents and Settings\jquizon\Application Data\SUPERAntiSpyware.com
2008-08-01 20:36:31 0 d-------- C:\VundoFix Backups
2008-07-31 06:31:09 0 d-------- C:\Documents and Settings\jquizon\Application Data\Malwarebytes
2008-07-31 06:30:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 06:30:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 23:44:33 0 d-------- C:\Quarantine


-- Find3M Report ---------------------------------------------------------------

2008-08-22 18:20:08 0 d-------- C:\Documents and Settings\jquizon\Application Data\Wave Systems Corp
2008-08-22 00:03:22 0 d-------- C:\Program Files\Java
2008-08-22 00:02:37 0 d-------- C:\Program Files\Common Files
2008-08-01 21:24:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-30 23:47:43 3535151 --a------ C:\WINDOWS\system32\Xpportlog-standard
2008-07-30 23:36:51 3408061 --a------ C:\WINDOWS\system32\XPPortlog


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [01/25/2007 02:34 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [05/18/2007 11:45 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [05/18/2007 11:45 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [05/18/2007 11:45 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [05/14/2007 02:23 PM]
"SigmatelSysTrayApp"="stsystra.exe" [02/18/2007 11:26 PM C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [01/30/2007 03:32 PM]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [01/22/2007 11:53 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [07/25/2007 04:32 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [07/25/2007 04:30 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 09:00 AM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 05:23 PM]
"SBEVMON.EXE"="C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.exe" [10/30/2007 01:46 PM]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [10/30/2007 01:46 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [10/25/2007 03:06 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [05/12/2008 03:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 12:09 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"StartMS"=C:\Program Files\Creative\Shared Files\Media Sniffer\Startms.exe /s
"Inetreg"="C:\Program Files\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
"FlashPlayerUpdate"=C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [1/11/2007 8:43:46 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/23/2007 2:53:16 AM]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [10/26/2007 3:29:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"dontdisplaylockeduserid"=3 (0x3)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"DisableCurrentUserRunOnce"=1 (0x1)
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=ADD-DomainAdmins.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-12324\Scripts\Logon\0\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\0\0]
"Script"=Mcafee_CMA_deployment.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\0]
"Script"=SDO_install_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\1]
"Script"=CA-servicesStartup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3061726268-1491933618-2623018998-30620\Scripts\Logon\1\2]
"Script"=SafebootDetection.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER



-- End of Deckard's System Scanner: finished at 2008-08-22 22:06:46 ------------



(8) Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
CPU 1: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 1014.04 MiB / 525.6 MiB
Pagefile Memory (total/avail): 2440.85 MiB / 1937.26 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1889.83 MiB

C: is Fixed (NTFS) - 74.47 GiB total, 46.04 GiB free.
D: is CDROM (No Media)
P: is Network (*NT5CSC)
R: is Network (Unformatted)
S: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - Hitachi HTS541680J9SA00 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

AV: VirusScan Enterprise + AntiSpyware Enterprise v8.5.0.781 (McAfee, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"="C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe:*:Enabled:igateway"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\jquizon\\Local Settings\\Temp\\OraInstall2007-12-24_10-46-26AM\\jre\\1.4.2\\bin\\javaw.exe"="C:\\Documents and Settings\\jquizon\\Local Settings\\Temp\\OraInstall2007-12-24_10-46-26AM\\jre\\1.4.2\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\eclipse\\eclipse.exe"="C:\\eclipse\\eclipse.exe:*:Disabled:eclipse"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Disabled:File Transfer Program"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\j2sdk1.4.2_16\\bin\\javaw.exe"="C:\\j2sdk1.4.2_16\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\AExeo\\AExeo 3.6\\SecurityExplorer360p7.exe"="C:\\Program Files\\AExeo\\AExeo 3.6\\SecurityExplorer360p7.exe:*:Disabled:Æxeo Security Explorer"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
ANT_HOME=C:\apache-ant-1.7.0
APPDATA=C:\Documents and Settings\jquizon\Application Data
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CLASSPATH=.;C:\CVS_PROJECTS\build\third_party\libext;C:\tomcat\server\lib;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SNG2NB005
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jquizon
HOMESHARE=\\sng3msfs01ab\Home$
INCLUDE=C:\Program Files\AExeo\sybase\OCS-12_0\include
JAVA_HOME=C:\j2sdk1.4.2_16
LIB=C:\Program Files\AExeo\sybase\OCS-12_0\lib
LOGONSERVER=\\ADDCVM01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Perl\site\bin;C:\Perl\bin;C:\oracle\product\10.2.0\client_1\bin;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\AExeo\sybase\OCS-12_0\dll;C:\Program Files\cvsnt;C:\Program Files\MySQL\MySQL Server 5.0\bin;c:\cygwin\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Perl\site\bin;C:\Perl\bin;C:\oracle\product\10.2.0\client_1\bin;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\Program Files\AExeo\sybase\OCS-12_0\dll;C:\Program Files\cvsnt;C:\Program Files\MySQL\MySQL Server 5.0\bin;C:\apache-ant-1.7.0\bin;C:\j2sdk1.4.2_16\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SYBASE=C:\Program Files\AExeo\sybase
SYBASE_OCS=OCS-12_0
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jquizon\LOCALS~1\Temp
TMP=C:\DOCUME~1\jquizon\LOCALS~1\Temp
USERDNSDOMAIN=AD.ENT.CITCO.COM
USERDOMAIN=AD
USERNAME=jquizon
USERPROFILE=C:\Documents and Settings\jquizon
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

aktan (new local, admin, net ready)
jquizon (admin)
jwalker (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B095CD4-555F-4F70-9B90-B1DB84D810ED}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B095CD4-555F-4F70-9B90-B1DB84D810ED}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA32BDBB-A91E-47AB-97F1-4C7007F4953C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA32BDBB-A91E-47AB-97F1-4C7007F4953C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Advanced Query Tool V7.1.7 --> MsiExec.exe /I{3EC9396C-44A3-496F-A60E-88337A97A0C7}
AExeo 3.3 --> MsiExec.exe /X{F141577E-5711-44CD-9ACB-F48EA73D98CD}
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Broadcom ASF Management Applications --> MsiExec.exe /I{27E25625-DB51-42E6-BEB7-0C8DC878770C}
Broadcom Management Programs --> MsiExec.exe /X{C99C0593-3B48-41D9-B42F-6E035B320449}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Conexant HDA D330 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen MicroPhoto --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1AEC8F41-4701-415D-9782-F69CFB535463}\SETUP.EXE" -l0x9 /remove
CVSNT --> "C:\Program Files\cvsnt\unins000.exe"
DameWare Mini Remote Control --> MsiExec.exe /I{CD63D4CC-5592-4CFE-BD1A-622B81280F27}
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Dell Touchpad --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect --> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
EMBASSY Security Center --> C:\Program Files\InstallShield Installation Information\{EEAFE1E5-076B-430A-96D9-B567792AFA88}\setup.exe -runfromtemp -l0x0409
EMBASSY Security Setup --> C:\Program Files\InstallShield Installation Information\{53333479-6A52-4816-8497-5C52B67ED339}\setup.exe -runfromtemp -l0x0409
EMBASSY Trust Suite by Wave Systems --> C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe -runfromtemp -l0x0009 -removeonly
ESC Home Page Plugin --> C:\Program Files\InstallShield Installation Information\{E738A392-F690-4A9D-808E-7BAF80E0B398}\setup.exe -runfromtemp -l0x0409
ETS Upgrade --> C:\Program Files\InstallShield Installation Information\{72FECEA1-E87F-4192-89FA-D0FBF92885BB}\setup.exe -runfromtemp -l0x0409
ExamDiff 1.7 --> "C:\Program Files\ExamDiff\unins000.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IntelliSonic Speech Enhancement --> MsiExec.exe /X{D9FCA292-1186-421F-8D93-9A5D272AD5D0}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Juniper Networks Host Checker --> "C:\Documents and Settings\jquizon\Application Data\Juniper Networks\Host Checker\uninstall.exe"
Juniper Networks Network Connect 5.5.0 --> "C:\Program Files\Juniper Networks\Network Connect 5.5.0\uninstall.exe"
Juniper Networks Network Connect 6.0.0 --> "C:\Program Files\Juniper Networks\Network Connect 6.0.0\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee AntiSpyware Enterprise Module --> "C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\enuwpie.inf,WebPostUninstall
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Diagnostic Tool --> MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
MySQL Server 5.0 --> MsiExec.exe /I{608FFCC7-7237-47BB-ABD5-8341754A3BBA}
MySQL Tools for 5.0 --> MsiExec.exe /I{EC561602-C0B9-4FAA-A175-1B3273639AC3}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NTRU TCG Software Stack --> MsiExec.exe /I{A618BB0D-8B88-45FF-83CD-783B4AE59AA0}
O2Micro USB Smart Card Reader --> MsiExec.exe /I{9556CFD4-3F7E-4D1C-958B-759703E9CC21}
Oracle Data Provider for .NET Help --> MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
Preboot Manager --> MsiExec.exe /I{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}
PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
PrimoPDF Redistribution Package --> MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
Private Information Manager --> C:\Program Files\InstallShield Installation Information\{0B0A2153-58A6-4244-B458-25EDF5FCD809}\setup.exe -runfromtemp -l0x0409
Python 2.5.1 --> MsiExec.exe /I{31800004-6386-4999-A519-518F2D78D8F0}
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin --> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Secure Update --> C:\Program Files\InstallShield Installation Information\{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}\setup.exe -runfromtemp -l0x0409
Security Wizards --> C:\Program Files\InstallShield Installation Information\{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}\setup.exe -runfromtemp -l0x0409
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SnagIt 7 --> MsiExec.exe /I{4360BB46-507E-4361-8DCB-4FF9BDC9907B}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
TightVNC 1.3.9 --> "C:\Program Files\TightVNC\unins000.exe"
TortoiseCVS --> MsiExec.exe /I{E8F7BA57-94C7-4007-B00E-B4600F96FF31}
tsp patch --> MsiExec.exe /I{24A494F3-5B5F-4183-9F7D-9CE82812C1FC}
upekmsi --> MsiExec.exe /I{FBEC50B7-537C-4A0E-8B0B-F7A8F8BF13CE}
ViceVersa FREE 1.0.3 --> "C:\Program Files\ViceVersa FREE\unins000.exe"
Wave Infrastructure Installer --> MsiExec.exe /I{D31F958E-7353-4DEB-83E8-35B02F2EE20A}
Wave Support Software --> C:\Program Files\InstallShield Installation Information\{07D618CD-B016-438A-ADC9-A75BD23F85CE}\setup.exe -runfromtemp -l0x0409
WinCvs 2.0 --> "C:\Program Files\GNU\WinCvs 2.0\unins000.exe"
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\pbadrv_40CD90DE1AD5BDAF5E2676750520DB94FDE3886E\pbadrv.inf
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\oz776_ECA62BF451D0A6F7B3E38E62F6FA5166CAF54FCE\oz776.inf
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.0.5 --> "C:\Program Files\WinSCP\unins000.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3601 / Error
Event Submitted/Written: 08/22/2008 10:04:37 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type3515 / Error
Event Submitted/Written: 08/22/2008 06:18:42 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script SafebootDetection.vbs. The system cannot find the file specified.
.

Event Record #/Type3514 / Error
Event Submitted/Written: 08/22/2008 06:18:42 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script CA-servicesStartup.bat. The system cannot find the file specified.
.

Event Record #/Type3513 / Error
Event Submitted/Written: 08/22/2008 06:18:42 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script SDO_install_script.vbs. The system cannot find the file specified.
.

Event Record #/Type3512 / Error
Event Submitted/Written: 08/22/2008 06:18:42 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script Mcafee_CMA_deployment.vbs. The system cannot find the file specified.
.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9665 / Error
Event Submitted/Written: 08/22/2008 10:05:37 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 239 minutes.
NtpClient has no source of accurate time.

Event Record #/Type9664 / Warning
Event Submitted/Written: 08/22/2008 10:05:37 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 240 minutes.

Event Record #/Type9661 / Error
Event Submitted/Written: 08/22/2008 08:05:37 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 119 minutes.
NtpClient has no source of accurate time.

Event Record #/Type9660 / Warning
Event Submitted/Written: 08/22/2008 08:05:37 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 120 minutes.

Event Record #/Type9659 / Error
Event Submitted/Written: 08/22/2008 07:05:37 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 59 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-08-22 22:06:46 ------------


Thanks,

sgpilgrim08

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:37 PM

Posted 25 August 2008 - 09:20 PM

Hello, sgpilgrim08.
SNOW has been having some problems, and has asked me to take over :thumbsup:

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 sgpilgrim08

sgpilgrim08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 26 August 2008 - 06:20 PM

Hi Billy,

Thank you for taking over from Snowhite.
I really appreciate what Snowhite has done so far and also asking someone else to take over from here.

I've recently posted the F-Secure logs and HiJack logs as requested by Snowhite.

Now, i'm posting the ESET logs.

(7) Eset logs

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3388 (20080826)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=1b0cade0ceadc84784ad5515de1a73fc
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-26 07:17:56
# local_time=2008-08-27 03:17:56 (+0800, Malay Peninsula Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1946023
# found=6
# scan_time=22382
C:\Deckard\System Scanner\20080811224637\backup\DOCUME~1\jquizon\LOCALS~1\Temp\.tt80.tmp Win32/TrojanDownloader.Agent.OBK trojan (deleted) 00000000000000000000000000000000
C:\Deckard\System Scanner\20080811224637\backup\DOCUME~1\jquizon\LOCALS~1\Temp\.tt80.tmp »NSIS »ý§€.exe Win32/TrojanDownloader.Agent.OBK trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\gmhyjj.dll.vir Win32/Adware.Virtumonde.NAY application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\iifgEttr.dll.vir.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\jalscwei.dll.vir Win32/Adware.Virtumonde.NAY application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\kxenhomj.dll.vir a variant of Win32/Adware.Virtumonde.NAY application (unable to clean - deleted) 00000000000000000000000000000000


Thanks a bunch,
sgpilgrim08

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:37 PM

Posted 26 August 2008 - 08:01 PM

Hello, sgpilgrim08.
You now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "Virtumonde, Several rogues"

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :thumbsup:
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :)
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :)
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :)
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :spacer:
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.
    :spacer:
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!
Billy3

Edited by Billy O'Neal, 26 August 2008 - 08:02 PM.
I apparently can't spell "Several"

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:37 PM

Posted 27 August 2008 - 09:07 PM

Hello, sgpilgrim08.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users