Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Stop Pop-ups!


  • This topic is locked This topic is locked
11 replies to this topic

#1 paulh5533

paulh5533

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 02 October 2008 - 04:59 PM

My computer is infected with some kind of malware that creates a rediculous amount of pop-up ads for all kinds of products, but it also grabs my google queries and returns it's own results from other websites. I've tried running all of the spybot & anti-virus software detailed in postings on this forum. Any help addressing this issue would be much appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:38 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RSDP\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\DesktopAuthority\DaMaint.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\enstart.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\windows\system32\slclient.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DesktopAuthority\rmgui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Cisco systems\VPN Client\vpngui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cphpdoc1.homedepot.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cphpdoc1.homedepot.com/
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: {96a555b4-5e3d-888b-fea4-83a7e867c393} - {393c768e-7a38-4aef-b888-d3e54b555a69} - C:\WINDOWS\system32\anagxj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FEF1439E-5344-43F9-995F-B530FC48A047} - C:\WINDOWS\system32\khfFWmjJ.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\rmgui.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DA Remote Management GUI] "C:\Program Files\DesktopAuthority\rmgui.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Backup of Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Backup of Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Backup of WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PGPtray.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.cpwiis82
O15 - Trusted Zone: http://*.cpwiisca
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: http://*.cpwiis82 (HKLM)
O15 - Trusted Zone: http://*.cpwiisca (HKLM)
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.homedepot.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.homedepot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com,ssc.homedepot.com,amer.qahomedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amer.homedepot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com,ssc.homedepot.com,amer.qahomedepot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.homedepot.com,homedepot.com,ssc.homedepot.com,amer.qahomedepot.com
O20 - AppInit_DLLs: DAinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\RSDP\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
O23 - Service: DA Remote Management Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DaMaint.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DA Remote Management Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: enstart - Unknown owner - C:\WINDOWS\system32\enstart.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\RSDP\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - c:\windows\system32\slclient.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe

--
End of file - 13716 bytes

BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 02 October 2008 - 07:39 PM

Hello, paulh5533.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 04 October 2008 - 08:35 PM

Hello, paulh5533.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 14 October 2008 - 07:13 PM

User returned; topic reopened. Please post your logs below :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 paulh5533

paulh5533
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 14 October 2008 - 07:18 PM

OTViewIt logfile created on: 10/14/2008 8:10:25 PM - Run
OTViewIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\phg8ht.AMER\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 70.47% Memory free
3.85 Gb Paging File | 3.38 Gb Available in Paging File | 87.93% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 31.20 Gb Free Space | 55.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DVLTPHG8HTA
Current User Name: phg8ht
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/11/10 21:33:00 | 00,073,782 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
[2006/09/13 05:43:10 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2005/08/15 19:27:54 | 00,208,896 | ---- | M] (Funk Software, Inc.) -- C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
[2006/03/24 17:14:58 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2006/03/24 17:14:52 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2006/04/11 17:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
[2004/10/29 02:04:44 | 00,847,872 | ---- | M] (Internet Security Systems, Inc.) -- C:\Program Files\RSDP\blackd.exe
[2006/09/13 05:43:10 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2003/06/13 13:58:18 | 01,422,528 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
[2008/02/09 18:13:54 | 00,063,408 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\DaMaint.exe
[2006/06/15 01:40:16 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
[2008/02/09 18:12:52 | 01,312,688 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\DesktopAuthority.exe
[2007/05/21 10:48:36 | 00,932,944 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
[2008/04/18 08:20:27 | 00,491,520 | ---- | M] () -- C:\WINDOWS\system32\enstart.exe
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[2007/01/04 10:21:24 | 00,081,920 | ---- | M] (PatchLink Corporation) -- C:\Program Files\PatchLink\Update Agent\GravitixService.exe
[2007/10/24 18:03:22 | 00,092,672 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\PGPserv.exe
[2006/06/15 01:40:28 | 00,115,952 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
[2008/02/28 09:43:10 | 00,556,960 | ---- | M] (ScriptLogic Software Corporation) -- c:\WINDOWS\system32\slClient.exe
[2006/11/20 04:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
[2006/06/15 01:40:24 | 01,805,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
[2005/06/06 21:26:22 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2007/09/27 13:23:00 | 00,709,488 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Client\CommAgent.exe
[2007/09/27 13:22:36 | 03,564,344 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Client\SPYSWEEPER.EXE
[2006/02/14 10:17:28 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[2006/02/14 10:16:28 | 00,512,000 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2005/05/20 04:11:06 | 00,925,696 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
[2005/08/15 19:26:56 | 01,015,871 | ---- | M] (Funk Software, Inc.) -- C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
[2006/07/05 16:15:52 | 00,094,208 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
[2004/05/17 13:27:28 | 00,032,859 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\dpmw32.exe
[2004/08/04 03:00:00 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2005/08/01 05:10:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
[2005/07/05 13:57:12 | 00,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
[2005/10/25 23:44:30 | 00,086,016 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
[2004/07/27 16:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[2002/03/12 09:37:28 | 00,028,672 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nwtray.exe
[2006/10/22 23:24:02 | 00,620,152 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
[2008/02/09 18:13:54 | 00,485,296 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\rmgui.exe
[2006/03/24 17:14:48 | 00,053,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2006/06/15 01:40:34 | 00,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
[2007/01/04 10:21:02 | 00,421,888 | ---- | M] (PatchLink Corporation) -- C:\Program Files\PatchLink\Update Agent\pddm.exe
[2006/11/21 11:00:02 | 00,394,856 | R--- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE
[2007/07/12 09:59:03 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
[2007/10/24 18:08:48 | 02,490,880 | ---- | M] (PGP Corporation) -- C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
[2004/08/04 03:00:00 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2004/08/04 03:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe
[2004/08/04 03:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe
[2008/10/14 20:10:02 | 00,421,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\phg8ht.AMER\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2006/09/13 05:43:10 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2004/10/29 02:04:44 | 00,847,872 | ---- | M] (Internet Security Systems, Inc.) -- C:\Program Files\RSDP\blackd.exe -- (BlackICE [Unknown | Running])
[2006/03/24 17:14:52 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2006/03/24 17:14:58 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2006/08/11 14:51:04 | 00,028,672 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\cusrvc.exe -- (cusrvc [On_Demand | Stopped])
[2003/06/13 13:58:18 | 01,422,528 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco systems\VPN Client\cvpnd.exe -- (CVPND [Auto | Running])
[2008/02/09 18:13:54 | 00,063,408 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\DaMaint.exe -- (DAMaint [Auto | Running])
[2005/05/27 14:41:14 | 00,188,416 | ---- | M] (International Business Machines Corporation) -- C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe -- (DB2JDS [On_Demand | Stopped])
[2005/04/24 15:28:38 | 00,013,864 | ---- | M] (International Business Machines Corporation) -- C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe -- (DB2NTSECSERVER [On_Demand | Stopped])
[2006/06/15 01:40:16 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2008/02/09 18:12:52 | 01,312,688 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\DesktopAuthority.exe -- (DesktopAuthority [Auto | Running])
[2007/05/21 10:48:36 | 00,932,944 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper [Auto | Running])
[2008/04/18 08:20:27 | 00,491,520 | ---- | M] () -- C:\WINDOWS\system32\enstart.exe -- (enstart [Auto | Running])
[2007/07/12 09:59:03 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Running])
[2005/11/10 21:33:00 | 00,073,782 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC [Auto | Running])
[2006/02/23 11:41:02 | 02,045,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate [On_Demand | Stopped])
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2005/08/15 19:27:54 | 00,208,896 | ---- | M] (Funk Software, Inc.) -- C:\Program Files\Funk Software\Odyssey Client\odClientService.exe -- (odClientService [Auto | Running])
[2003/07/28 20:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/01/04 10:21:24 | 00,081,920 | ---- | M] (PatchLink Corporation) -- C:\Program Files\PatchLink\Update Agent\GravitixService.exe -- (PatchLink Update [Auto | Running])
[2007/10/24 18:03:22 | 00,092,672 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\PGPserv.exe -- (PGPserv [Auto | Running])
[2003/06/19 09:40:20 | 00,688,128 | ---- | M] (Internet Security Systems, Inc.) -- C:\Program Files\RSDP\RapApp.exe -- (RapApp [On_Demand | Stopped])
[2006/06/15 01:40:28 | 00,115,952 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [Auto | Running])
[2008/02/28 09:43:10 | 00,556,960 | ---- | M] (ScriptLogic Software Corporation) -- c:\WINDOWS\system32\slClient.exe -- (SLClient [Auto | Running])
[2006/01/24 20:06:58 | 00,214,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
[2006/11/20 04:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe -- (SNMP [Auto | Running])
[2004/08/04 03:00:00 | 00,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmptrap.exe -- (SNMPTRAP [On_Demand | Stopped])
[2006/04/11 17:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [Auto | Running])
[2006/06/15 01:40:24 | 01,805,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
[2005/06/06 21:26:22 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC [Auto | Running])
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2007/09/27 13:23:00 | 00,709,488 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Client\CommAgent.exe -- (WebrootCommAgentService [Auto | Running])
[2007/09/27 13:22:36 | 03,564,344 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Client\SPYSWEEPER.EXE -- (WebrootSpySweeperService [On_Demand | Running])

========== Driver Services ==========

[2006/01/31 06:19:34 | 00,176,128 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
[2005/06/07 09:53:46 | 00,152,960 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudioService [On_Demand | Running])
[2006/09/13 05:49:52 | 01,724,416 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2005/05/17 07:20:06 | 00,015,872 | ---- | M] (Atmel, Inc.) -- C:\WINDOWS\system32\drivers\atmeltpm.sys -- (atmeltpm [On_Demand | Running])
[2004/09/09 01:30:32 | 00,227,285 | ---- | M] (Internet Security Systems, Inc.) -- C:\WINDOWS\system32\drivers\blackdrv.sys -- (black [Disabled | Running])
[2003/05/01 13:26:34 | 00,005,220 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA [On_Demand | Stopped])
[2003/06/13 13:57:30 | 00,268,362 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA [Auto | Running])
[2008/02/09 18:13:56 | 00,012,080 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\DAInfo.sys -- (DAInfo [Auto | Running])
[2008/02/09 18:14:18 | 00,011,184 | ---- | M] (Windows ® 2000 DDK provider) -- C:\Program Files\DesktopAuthority\DAtf.sys -- (DAtf [Auto | Running])
[2005/08/01 05:10:00 | 00,025,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
[2005/07/07 09:03:34 | 00,005,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
[2005/08/01 05:10:00 | 00,002,496 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN [Auto | Running])
[2005/08/01 05:10:00 | 00,086,524 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
[2005/08/01 05:10:00 | 00,014,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
[2005/08/01 05:10:00 | 00,006,364 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
[2005/07/07 09:02:56 | 00,022,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N [System | Running])
[2005/08/01 05:10:00 | 00,092,700 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
[2005/08/01 05:10:00 | 00,087,004 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
[2002/08/26 17:09:42 | 00,138,916 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE [On_Demand | Running])
[2005/07/28 03:30:00 | 00,088,704 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
[2005/07/07 05:10:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
[2006/04/20 12:06:50 | 00,181,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express [On_Demand | Stopped])
[2008/01/17 23:15:57 | 00,385,072 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2008/04/18 08:20:29 | 00,031,744 | ---- | M] (Guidance Software Inc.) -- C:\WINDOWS\system32\enstart_.sys -- (enstart_ [System | Running])
[2008/01/17 23:15:59 | 00,109,616 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2005/01/07 16:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2005/12/06 07:21:32 | 00,936,448 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\hsx_dpv.sys -- (HSF_DPV [On_Demand | Running])
[2005/12/06 07:20:48 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\hsxhwazl.sys -- (HSXHWAZL [On_Demand | Running])
[2005/11/10 21:33:00 | 00,010,112 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV [On_Demand | Running])
[2005/10/05 11:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2008/02/28 20:29:25 | 00,082,256 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080529.003\NAVENG.SYS -- (NAVENG [On_Demand | Running])
[2008/02/28 20:29:34 | 00,895,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080529.003\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
[2006/10/17 07:55:28 | 01,711,104 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\NETw3x32.sys -- (NETw3x32 [On_Demand | Running])
[2006/11/09 09:38:22 | 00,506,159 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwfs.sys -- (NetwareWorkstation [Auto | Running])
[2006/03/03 16:50:48 | 00,038,416 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\drivers\nicm.sys -- (NICM [Boot | Running])
[2004/08/03 19:00:52 | 00,028,672 | ---- | M] (National Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA [On_Demand | Running])
[2005/11/22 09:51:22 | 00,018,353 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwdhcp.sys -- (NWDHCP [Auto | Running])
[2006/09/25 11:44:52 | 00,043,280 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwdns.sys -- (NWDNS [On_Demand | Running])
[2005/05/26 17:14:00 | 00,015,891 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwfilter.sys -- (NWFILTER [Boot | Running])
[2005/10/12 12:12:18 | 00,009,297 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwhost.sys -- (NWHOST [On_Demand | Running])
[2003/02/26 13:51:18 | 00,023,232 | ---- | M] () -- C:\WINDOWS\system32\NetWare\nwsap.sys -- (NWSAP [On_Demand | Stopped])
[2005/10/27 15:15:14 | 00,039,731 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwsipx32.sys -- (NWSIPX32 [Auto | Stopped])
[2005/01/03 13:51:38 | 00,020,332 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwslp.sys -- (NWSLP [On_Demand | Running])
[2005/10/12 12:11:32 | 00,006,128 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwsns.sys -- (NWSNS [On_Demand | Running])
[2005/08/15 17:34:02 | 00,184,832 | ---- | M] (Funk Software, Inc.) -- C:\WINDOWS\system32\drivers\odysseyIM4.sys -- (odysseyIM4 [On_Demand | Running])
[2007/10/24 18:03:08 | 00,224,256 | ---- | M] (PGP Corporation) -- C:\WINDOWS\System32\drivers\PGPdisk.sys -- (PGPdisk [Auto | Running])
[2007/10/24 18:02:52 | 00,097,792 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\drivers\PGPfsfd.sys -- (pgpfs [Boot | Running])
[2007/10/24 18:02:46 | 00,033,792 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\drivers\PGPsdk.sys -- (PGPsdkDriver [Auto | Running])
[2007/10/24 18:02:30 | 00,172,544 | ---- | M] (PGP Corporation) -- C:\WINDOWS\System32\drivers\PGPwded.sys -- (PGPwded [Boot | Running])
[2004/08/04 03:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2005/01/26 02:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2003/06/19 09:40:42 | 00,036,676 | ---- | M] (Internet Security Systems, Inc.) -- C:\WINDOWS\system32\drivers\RapFile.sys -- (RapFile [On_Demand | Stopped])
[2003/06/19 09:40:54 | 00,024,344 | ---- | M] (Internet Security Systems, Inc.) -- C:\WINDOWS\system32\drivers\RapNet.sys -- (RapNet [On_Demand | Stopped])
[2004/06/01 17:19:34 | 00,027,249 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\resmgr.sys -- (RESMGR [Auto | Running])
[2005/12/19 20:41:56 | 00,337,592 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2005/12/19 20:41:58 | 00,054,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
[2004/08/04 03:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2006/04/24 01:53:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint [System | Running])
[2008/06/20 08:24:17 | 00,015,104 | R--- | M] (Fujitsu Siemens Computers) -- C:\WINDOWS\system32\drivers\snidmi.sys -- (SniDmi [Auto | Running])
[2006/04/11 17:13:34 | 00,389,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
[2006/09/25 08:54:54 | 00,160,209 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\srvloc.sys -- (SRVLOC [Auto | Running])
[2007/09/27 13:22:36 | 00,020,280 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\system32\drivers\ssfs0BB8.sys -- (SSFS0BB8 [Boot | Running])
[2007/09/27 13:22:34 | 00,021,816 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\system32\drivers\SSHRMD.SYS -- (SSHRMD [Boot | Running])
[2007/09/27 13:22:36 | 00,163,640 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\system32\drivers\SSIDRV.SYS -- (SSIDRV [Boot | Running])
[2006/05/05 16:19:50 | 00,107,696 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2006/01/24 20:06:32 | 00,024,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Stopped])
[2006/01/24 20:06:36 | 00,195,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2006/02/14 10:04:58 | 00,177,664 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2006/04/24 01:53:00 | 00,009,343 | ---- | M] () -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI [System | Running])
[2005/07/05 13:57:06 | 00,017,699 | ---- | M] (IBM Corporation) -- C:\WINDOWS\System32\drivers\TPHKDRV.sys -- (TPHKDRV [System | Running])
[2006/05/26 01:13:00 | 00,004,442 | ---- | M] () -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF [System | Running])
[2006/07/21 02:54:00 | 00,007,168 | ---- | M] () -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP [System | Running])
[2003/03/03 14:08:56 | 00,176,896 | ---- | M] (Zone Labs Inc.) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [On_Demand | Stopped])
[2005/12/06 07:20:42 | 00,670,208 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\hsx_cnxt.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://cphpdoc1.homedepot.com/
"Default_Search_URL"=http://www.google.com/ie
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://cphpdoc1.homedepot.com/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://cphpdoc1.homedepot.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://cphpdoc1.homedepot.com/

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (249881 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
8710 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{393c768e-7a38-4aef-b888-d3e54b555a69} (HKLM) -- C:\WINDOWS\system32\anagxj.dll ()
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
{FEF1439E-5344-43F9-995F-B530FC48A047} (HKLM) -- C:\WINDOWS\system32\khfFWmjJ.dll File not found

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""= File not found
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog ()
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"DA Remote Management GUI"="C:\Program Files\DesktopAuthority\rmgui.exe" (ScriptLogic Corporation)
"Desktop Authority GUI"="C:\Program Files\DesktopAuthority\rmgui.exe" (ScriptLogic Corporation)
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (InstallShield Software Corporation)
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto (Microsoft Corporation)
"NDPS"=C:\WINDOWS\system32\dpmw32.exe (Novell, Inc.)
"NWTRAY"=NWTRAY.EXE (Novell, Inc.)
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" (Funk Software, Inc.)
"PDDM"=C:\Program Files\PatchLink\Update Agent\pddm.exe (PatchLink Corporation)
"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor (Lenovo Group Limited)
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (Sun Microsystems, Inc.)
"Synchronization Manager"=%SystemRoot%\system32\mobsync.exe /logon (Microsoft Corporation)
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
"TPHOTKEY"=C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe ()
"TPKMAPHELPER"=C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper (Lenovo)
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)

========== (O4) RunOnce Keys ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"=Narrator.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"=Narrator.exe (Microsoft Corporation)

========== (O4) Startup Folders ==========

[2007/11/16 11:52:10 | 00,295,606 | R--- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-000000000003}\_SC_Acrobat.exe
[2006/10/23 00:01:50 | 00,734,872 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
[2007/05/11 04:06:32 | 00,040,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Backup of Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[2007/05/11 01:29:22 | 00,738,968 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Backup of Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
[2006/11/21 11:00:02 | 00,394,856 | R--- | M] (WinZip Computing LP) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Backup of WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
[2008/01/03 09:15:16 | 00,055,296 | R--- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk = C:\WINDOWS\Installer\{98A73891-2E04-40AA-B5C4-2FA204A580DF}\Icon6560581611.exe
[2006/11/21 11:00:02 | 00,394,856 | R--- | M] (WinZip Computing LP) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
[2006/02/07 19:55:32 | 00,153,336 | ---- | M] (Documentum, Inc.) -- C:\Documents and Settings\phg8ht\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
File not found -- C:\Documents and Settings\smeclnt\Start Menu\Programs\Startup\Sonic INSTALLit! Setup.lnk = C:\_INTEGRA\TMP\VIES08FB\setup.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\Software\policies\microsoft\internet explorer\Control Panel]
"FormSuggest"=1
"FormSuggest Passwords"=1
"GeneralTab"=0
"SecurityTab"=0
"ContentTab"=0
"ConnectionsTab"=0
"ProgramsTab"=0
"AdvancedTab"=0
"Advanced"=0
"HomePage"=1
"Cache"=1
"History"=1
"Colors"=1
"links"=0
"Fonts"=0
"Languages"=0
"Accessibility"=0
"Connwiz Admin Lock"=1
"Connection Settings"=1
"Proxy"=1
"Autoconfig"=1
"Ratings"=1
"Certificates"=1
"Profiles"=1
"Messaging"=1
"CalendarContact"=1
"ResetWebSettings"=1
"Settings"=0
"Check_If_Default"=1
"SecChangeSettings"=1

[HKEY_LOCAL_MACHINE\Software\policies\microsoft\internet explorer\Infodelivery\Restrictions]
"NoJITSetup"=1
"NoUpdateCheck"=1
"NoSplash"=1

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel]
"SecurityTab"=0
"ContentTab"=0
"ProgramsTab"=0
"HomePage"=1
"Colors"=1
"links"=0
"Fonts"=0
"Languages"=0
"Accessibility"=0
"Settings"=0
"History"=1
"FormSuggest"=1
"FormSuggest Passwords"=1
"Check_If_Default"=1
"CalendarContact"=1
"Certificates"=1
"Connection Settings"=1
"Messaging"=1
"Profiles"=1
"Proxy"=1
"Ratings"=1
"Connwiz Admin Lock"=1
"ResetWebSettings"=1
"Advanced"=0

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Infodelivery\Restrictions]
"NoAddingChannels"=1
"NoRemovingChannels"=1
"NoAddingSubscriptions"=1
"NoEditingSubscriptions"=1
"NoRemovingSubscriptions"=1
"NoChannelLogging"=1
"NoScheduledUpdates"=1
"NoChannelUI"=1
"NoSubscriptionContent"=1
"NoEditingScheduleGroups"=1
"MaxSubscriptionSize"=1
"MaxSubscriptionCount"=1
"MinUpdateInterval"=1
"UpdateExcludeBegin"=1
"UpdateExcludeEnd"=1
"MaxWebcrawlLevels"=1

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Main]
"NoUpdateCheck"=1

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Restrictions]
"NoSelectDownloadDir"=0
"NoExternalBranding"=1
"NoHelpItemTipOfTheDay"=1
"NoHelpItemNetscapeHelp"=1
"NoHelpItemTutorial"=1
"NoHelpItemSendFeedback"=1
"NoTheaterMode"=1

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\policies\microsoft\internet explorer\Control Panel]
"SecurityTab"=0
"ContentTab"=0
"ProgramsTab"=0
"HomePage"=1
"Colors"=1
"links"=0
"Fonts"=0
"Languages"=0
"Accessibility"=0
"Settings"=0
"History"=1
"FormSuggest"=1
"FormSuggest Passwords"=1
"Check_If_Default"=1
"CalendarContact"=1
"Certificates"=1
"Connection Settings"=1
"Messaging"=1
"Profiles"=1
"Proxy"=1
"Ratings"=1
"Connwiz Admin Lock"=1
"ResetWebSettings"=1
"Advanced"=0

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\policies\microsoft\internet explorer\Infodelivery\Restrictions]
"NoAddingChannels"=1
"NoRemovingChannels"=1
"NoAddingSubscriptions"=1
"NoEditingSubscriptions"=1
"NoRemovingSubscriptions"=1
"NoChannelLogging"=1
"NoScheduledUpdates"=1
"NoChannelUI"=1
"NoSubscriptionContent"=1
"NoEditingScheduleGroups"=1
"MaxSubscriptionSize"=1
"MaxSubscriptionCount"=1
"MinUpdateInterval"=1
"UpdateExcludeBegin"=1
"UpdateExcludeEnd"=1
"MaxWebcrawlLevels"=1

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\policies\microsoft\internet explorer\Main]
"NoUpdateCheck"=1

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\policies\microsoft\internet explorer\Restrictions]
"NoSelectDownloadDir"=0
"NoExternalBranding"=1
"NoHelpItemTipOfTheDay"=1
"NoHelpItemNetscapeHelp"=1
"NoHelpItemTutorial"=1
"NoHelpItemSendFeedback"=1
"NoTheaterMode"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoWindowsUpdate"=1
"NoCDBurning"=0
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0
"NoDriveTypeAutoRun"=255
"NoWelcomeScreen"=1
"NoMSAppLogo5ChannelNotify"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"CompatibleRUPSecurity"=1
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveTypeAutoRun"=255
"NoWindowsUpdate"=1
"NoWelcomeScreen"=1
"NoAutoUpdate"=0
"ConfirmFileDelete"=1
"NoOnlinePrintsWizard"=1
"NoSharedDocuments"=1
"NoComputersNearMe"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"RunLogonScriptSync"=1
"DisableRegistryTools"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveTypeAutoRun"=255
"NoWindowsUpdate"=1
"NoWelcomeScreen"=1
"NoAutoUpdate"=0
"ConfirmFileDelete"=1
"NoOnlinePrintsWizard"=1
"NoSharedDocuments"=1
"NoComputersNearMe"=1

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"RunLogonScriptSync"=1
"DisableRegistryTools"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
Append to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 02:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
Append to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
Append to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\]
Append to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert link target to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert link target to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selected links to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selected links to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selection to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selection to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
Append to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert link target to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert link target to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selected links to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selected links to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selection to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert selection to existing PDF: Reg Error: Key does not exist or could not be opened. File not found
Convert to Adobe PDF: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\Software\Microsoft\Internet Explorer\MenuExt\]
Append to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006/10/22 23:20:26 | 00,321,120 | ---- | M] (Adobe Systems Incorporated)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 02:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [2007/09/25 02:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 07:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 07:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 02:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 07:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 02:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 07:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 02:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 07:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 02:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 07:24:38 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
cpwiis82: http in Trusted sites
cpwiisca: http in Trusted sites
homedepot.com: http in Local intranet
homedepot.com: https in Local intranet
homedepot.com\*.amer: http in My Computer
homedepot.com\*.amer: https in Local intranet
homedepot.com\www: https in My Computer
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
amer.com\homedepot: https in My Computer
cpwiis82: http in Trusted sites
cpwiisca: http in Trusted sites
gomyhit.com: * in Trusted sites
homedepot.com: http in Local intranet
homedepot.com: https in Local intranet
homedepot.com\*.amer: http in My Computer
homedepot.com\*.amer: https in Local intranet
homedepot.com\cpwiisi0: * in My Computer
homedepot.com\cpwiisi0.amer: * in My Computer
homedepot.com\www: https in My Computer
imageservr.com: * in Trusted sites
imagesrvr.com: * in Trusted sites
storageguardsoft.com: * in Trusted sites
41 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
amer.com\homedepot: https in My Computer
cpwiis82: http in Trusted sites
cpwiisca: http in Trusted sites
homedepot.com: http in Local intranet
homedepot.com: https in Local intranet
homedepot.com\*.amer: http in My Computer
homedepot.com\*.amer: https in Local intranet
homedepot.com\cpwiisi0: * in My Computer
homedepot.com\cpwiisi0.amer: * in My Computer
homedepot.com\www: https in My Computer
41 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
amer.com\homedepot: https in My Computer
cpwiis82: http in Trusted sites
cpwiisca: http in Trusted sites
homedepot.com: http in Local intranet
homedepot.com: https in Local intranet
homedepot.com\*.amer: http in My Computer
homedepot.com\*.amer: https in Local intranet
homedepot.com\cpwiisi0: * in My Computer
homedepot.com\cpwiisi0.amer: * in My Computer
homedepot.com\www: https in My Computer
41 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-450285137-3616678309-1244856752-104760\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
amer.com\homedepot: https in My Computer
cpwiis82: http in Trusted sites
cpwiisca: http in Trusted sites
gomyhit.com: * in Trusted sites
homedepot.com: http in Local intranet
homedepot.com: https in Local intranet
homedepot.com\*.amer: http in My Computer
homedepot.com\*.amer: https in Local intranet
homedepot.com\cpwiisi0: * in My Computer
homedepot.com\cpwiisi0.amer: * in My Computer
homedepot.com\www: https in My Computer
imageservr.com: * in Trusted sites
imagesrvr.com: * in Trusted sites
storageguardsoft.com: * in Trusted sites
41 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{164B406B-0FD6-4E7F-BA7E-64D227D4CA37}: http://www.digitalwebbooks.com/reader/dbplugin.cab -- dnlplayer Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}: http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab -- Java Plug-in 1.3.1_02
{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}: http://java.sun.com/products/plugin/autodl...indows-i586.cab -- Java Plug-in 1.4.2_06
{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}: http://java.sun.com/products/plugin/autodl...indows-i586.cab -- Java Plug-in 1.4.2_12
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwa...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{378E1F8E-5C76-46DF-8C51-5CA188DC083C} (Servers: | Description: )
{44684205-D8C5-4599-ABEA-06EF12AB525D} (Servers: | Description: Intel® PRO/Wireless 3945ABG Network Connection)
{85810948-3424-4495-8669-3A64C11EAAD7} (Servers: | Description: Intel® PRO/1000 PL Network Connection)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=DAinit.dll
>File not found --

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GinaDLL"=odyGina.dll
>[2007/07/03 15:39:31 | 00,139,330 | ---- | M] (Funk Software, Inc.) -- C:\WINDOWS\system32\odyGina.dll


========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)
NavLogon: "DllName" = C:\WINDOWS\system32\NavLogon.dll -- C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
OdysseyClient: "DllName" = odyEvent.dll -- C:\WINDOWS\system32\odyEvent.dll (Funk Software, Inc.)
tpfnf2: "DllName" = notifyf2.dll -- C:\WINDOWS\system32\notifyf2.dll ()
tphotkey: "DllName" = tphklock.dll -- C:\WINDOWS\system32\tphklock.dll ()
WRNotifier: "DllName" = WRLogonNtf.DLL -- C:\WINDOWS\system32\WRLogonNtf.DLL (Webroot Software, Inc.)

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,nwv1_0,C:\WINDOWS\system32\khfFWmjJ,
>[2000/02/17 05:54:28 | 00,008,480 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nwv1_0.dll
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [@echo off | SET PATH=C:\;C:\SQLNKWIN | c:\dos\smartdrv.exe c+ /q /n 12288 | | :: WinNT /u:Unattended Text File | :: /s:Path to CAB Files | :: /t:Temp Drive | :: /2 makelocalsource:all | \wininst\i386\winnt.exe /u:c:\_integra\sw\WXPOS011.3EN\params.txt /s:\wininst\i386 /t:c:\ /2 | ]
[2007/07/03 15:45:53 | 00,000,277 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0db68694-641f-11dd-a7c2-001b7708a2a4}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0db68694-641f-11dd-a7c2-001b7708a2a4}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2006/03/17 00:03:54 | 08,452,096 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0db68694-641f-11dd-a7c2-001b7708a2a4}\Shell\Explore\command]
""=E:\system.exe -- File not found


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0db68694-641f-11dd-a7c2-001b7708a2a4}\Shell\Open\command]
""=E:\system.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db760bae-5862-11dd-a7a7-001b7708a2a4}\Shell]
""=AutoRun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db760bae-5862-11dd-a7a7-001b7708a2a4}\Shell\Auto\command]
""=auto.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db760bae-5862-11dd-a7a7-001b7708a2a4}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db760bae-5862-11dd-a7a7-001b7708a2a4}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2006/03/17 00:03:54 | 08,452,096 | ---- | M] (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2008/10/14 20:10:01 | 00,421,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\phg8ht.AMER\Desktop\OTViewIt.exe
[2008/10/10 16:53:29 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Copy of Transit Template (2) (2).xls
[2008/10/10 16:45:28 | 00,058,880 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Patio-Grill Tracking Report 10-09-08 (2).xls
[2008/10/09 12:32:09 | 00,015,872 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\ncaaweek7(1).xls
[2008/10/09 11:22:45 | 00,260,096 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Slides for HMM Meeting.ppt
[2008/10/09 10:05:28 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Graphs for HMM Meeting.xls
[2008/10/08 16:29:56 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Multi Container Rimax POs.xls
[2008/10/06 11:20:34 | 00,297,984 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\carrier_mqc summary_100608.ppt
[2008/10/03 14:28:42 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Copy of NingboQingdaoDalian - CFS.xls
[2008/10/03 10:59:15 | 00,082,944 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Sample Freight Cost Report.xls
[2008/10/02 15:47:43 | 00,016,384 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\ncaaweek6(1).xls
[2008/10/02 13:06:33 | 00,064,512 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Patio-Grill Tracking Report NYK 10-02-08 .xls
[2008/10/02 13:00:43 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\HijackThis.lnk
[2008/10/02 13:00:43 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/10/01 13:54:20 | 00,236,544 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Allocation Summary.ppt
[2008/09/30 14:12:26 | 00,015,872 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Optimized Tile Routing Guide.xls
[2008/09/29 15:46:21 | 00,015,360 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\DC_CY Vllokup.xls
[2008/09/25 18:04:27 | 01,803,264 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\MLOG WK 44.xls
[2008/09/25 18:04:21 | 01,596,928 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Carrier Rate Matrix_081908(sans CHHK).xls
[2008/09/25 15:22:10 | 00,100,026 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\GTN Volume_2.xls
[2008/09/23 18:17:51 | 00,798,720 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\2008_Carrier_Ranking_NYKL_091808(2).xls
[2008/09/23 18:05:53 | 00,341,504 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\2008_Carrier Ranking_MLOG_091808 (2).xls
[2008/09/23 13:32:51 | 01,115,648 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Xiamen Carrier Priority List - 9 23 (3).xls
[2008/09/17 14:43:47 | 00,868,479 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\My Documents\QRY_Add Actual Carrier.xls
[2008/09/17 14:42:55 | 00,447,819 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\My Documents\QRY_Add Actual Ocean Costs.xls
[2008/09/17 13:46:33 | 00,525,571 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\My Documents\QRY_Make Allocated FRT Rates.xls
[2008/09/17 11:54:00 | 00,830,306 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\QRY_Make FRT Rates.xls
[2008/09/17 09:55:38 | 02,269,184 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\rate upload.xls
[2008/09/16 15:57:14 | 00,126,464 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\champ.doc
[2008/09/16 12:48:46 | 00,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2008/09/16 12:48:46 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2008/09/16 12:48:45 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbscan.sys
[2008/09/16 12:48:45 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2008/09/16 11:46:41 | 00,083,968 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\CA3QRYV7.xls
[2008/09/16 11:44:00 | 00,055,296 | ---- | C] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Tile Rate Analysis.xls

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[1 C:\Documents and Settings\phg8ht.AMER\Desktop\*.tmp files]
[2008/10/14 20:10:02 | 00,421,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\phg8ht.AMER\Desktop\OTViewIt.exe
[2008/10/14 19:51:27 | 00,002,295 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk
[2008/10/14 19:51:24 | 00,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2008/10/14 19:51:15 | 00,000,304 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2008/10/14 19:49:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/10/14 19:49:49 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/10/14 17:29:55 | 00,013,858 | ---- | M] () -- C:\WINDOWS\Jam7w32.ini
[2008/10/14 17:29:51 | 46,181,5808 | ---- | M] () -- C:\VIP.mdb
[2008/10/14 08:41:54 | 00,001,434 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Home Depot Laptop 101.lnk
[2008/10/14 08:40:31 | 00,000,186 | ---- | M] () -- C:\comply.ini
[2008/10/13 11:01:27 | 00,082,944 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Sample Freight Cost Report.xls
[2008/10/13 08:25:39 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/10/10 16:53:29 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Copy of Transit Template (2) (2).xls
[2008/10/10 16:45:50 | 00,058,880 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Patio-Grill Tracking Report 10-09-08 (2).xls
[2008/10/10 16:43:55 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Amd Summary Template.doc
[2008/10/10 16:18:31 | 00,132,608 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Fax Coversheet.doc
[2008/10/10 10:59:08 | 00,015,872 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\ncaaweek7(1).xls
[2008/10/09 17:02:10 | 00,260,096 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Slides for HMM Meeting.ppt
[2008/10/09 17:01:57 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Graphs for HMM Meeting.xls
[2008/10/08 16:30:13 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Multi Container Rimax POs.xls
[2008/10/06 17:16:39 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Copy of NingboQingdaoDalian - CFS.xls
[2008/10/06 11:46:57 | 00,297,984 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\carrier_mqc summary_100608.ppt
[2008/10/06 11:20:26 | 00,295,424 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\carrier_mqc summary_080108.ppt
[2008/10/03 12:11:45 | 00,525,571 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\My Documents\QRY_Make Allocated FRT Rates.xls
[2008/10/03 10:56:14 | 00,064,512 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Patio-Grill Tracking Report NYK 10-02-08 .xls
[2008/10/02 18:00:00 | 00,002,505 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\phg8ht.lnk
[2008/10/02 15:47:43 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\ncaaweek6(1).xls
[2008/10/02 13:16:36 | 00,249,881 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/10/02 13:00:43 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\HijackThis.lnk
[2008/10/01 13:54:20 | 00,236,544 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Allocation Summary.ppt
[2008/09/30 15:27:41 | 00,015,872 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Optimized Tile Routing Guide.xls
[2008/09/30 08:21:59 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008/09/29 16:28:35 | 00,015,360 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\DC_CY Vllokup.xls
[2008/09/25 22:00:21 | 01,803,264 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\MLOG WK 44.xls
[2008/09/25 18:04:22 | 01,596,928 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Carrier Rate Matrix_081908(sans CHHK).xls
[2008/09/25 17:12:34 | 01,115,648 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Xiamen Carrier Priority List - 9 23 (3).xls
[2008/09/25 15:25:36 | 00,116,736 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\EstVol218768EstVol(1).xls
[2008/09/25 15:22:11 | 00,100,026 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\GTN Volume_2.xls
[2008/09/25 15:21:14 | 00,050,176 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\GTN_volume_upload.xls
[2008/09/25 15:19:31 | 00,209,920 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\DraftRequest218768(1).xls
[2008/09/23 18:17:51 | 00,798,720 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\2008_Carrier_Ranking_NYKL_091808(2).xls
[2008/09/23 18:12:11 | 00,341,504 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\2008_Carrier Ranking_MLOG_091808 (2).xls
[2008/09/18 14:41:33 | 00,126,464 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\champ.doc
[2008/09/18 11:30:28 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Copy of Fantasy $ 08 (2).xls
[2008/09/17 14:47:30 | 00,447,819 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\My Documents\QRY_Add Actual Ocean Costs.xls
[2008/09/17 14:43:47 | 00,868,479 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\My Documents\QRY_Add Actual Carrier.xls
[2008/09/17 14:36:58 | 00,010,820 | -H-- | M] () -- C:\WINDOWS\System32\jeterr35.GID
[2008/09/17 11:54:00 | 00,830,306 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\QRY_Make FRT Rates.xls
[2008/09/17 10:40:12 | 02,269,184 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\rate upload.xls
[2008/09/16 11:46:41 | 00,083,968 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\CA3QRYV7.xls
[2008/09/16 11:44:00 | 00,055,296 | ---- | M] () -- C:\Documents and Settings\phg8ht.AMER\Desktop\Tile Rate Analysis.xls
< End of report >



OTViewIt Extras logfile created on: 10/14/2008 8:10:25 PM - Run
OTViewIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\phg8ht.AMER\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 70.47% Memory free
3.85 Gb Paging File | 3.38 Gb Available in Paging File | 87.93% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 31.20 Gb Free Space | 55.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DVLTPHG8HTA
Current User Name: phg8ht
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
"DisableUnicastResponsesToMulticastBroadcast"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 03:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\_INTEGRA\BIN\CCMAGENT.EXE:*:Enabled:Symantec CCM Windows Agent
[2004/08/04 03:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2004/05/17 13:27:28 | 00,032,859 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\dpmw32.exe:*:Enabled:NDPS RPM & Notification Listener
[2007/05/21 10:48:36 | 00,932,944 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe:*:Enabled:DkService

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 03:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\_INTEGRA\BIN\CCMAGENT.EXE:*:Enabled:Symantec CCM Windows Agent
[2004/08/04 03:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2004/05/17 13:27:28 | 00,032,859 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\dpmw32.exe:*:Enabled:dpmw32.exe

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [Novell Directory Services Name Provider] -- C:\WINDOWS\system32\NetWare\nwws2nds.dll (Novell, Inc.)
NameSpace_Catalog5\Catalog_Entries\000000000005 [Novell IPX/SPX SAP Name Provider] -- C:\WINDOWS\system32\NetWare\nwws2sap.dll (Novell, Inc.)
NameSpace_Catalog5\Catalog_Entries\000000000006 [Novell SLP Provider] -- C:\WINDOWS\system32\NetWare\nwws2slp.dll (Novell, Inc.)
Protocol_Catalog9\Catalog_Entries\000000000001 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000002 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000003 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000004 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000005 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000006 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000007 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000008 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000009 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000010 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000011 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000012 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000013 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000014 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000015 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000016 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000017 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)
Protocol_Catalog9\Catalog_Entries\000000000018 -- C:\WINDOWS\system32\PGPlsp.dll (PGP Corporation)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2000/04/19 18:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/06/03 01:36:20 | 07,252,672 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/04/25 14:29:56 | 08,071,360 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{023DBB60-2689-4EFC-A2A6-4CCDB3A9A5BF}"=PatchLink Update Agent
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}"=Apple Software Update
"{075473F5-846A-448B-BCB3-104AA1760205}"=RecordNow Data
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Sonic DLA
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}"=ThinkPad Keyboard Customizer Utility
"{25BA4519-8E2F-4BBC-9C67-7A1831D06F9D}"=Brio Quickview
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150000}"=J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{42D54D39-481D-451C-B00D-F96B31D0B636}"=Sametime Connect 6.5
"{4F90002E-F120-43B4-8CCF-33DFD6A1D72C}"=Diskeeper 2007 Professional
"{55E9AF11-4B40-4BBF-A212-813C0FDF000E}"=Odyssey Client
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}"=VPN Client
"{5D7410D9-BF10-4A8F-9D4E-6A49C31FDD81}"=Resource Central Addin
"{5E8858EC-6B09-4939-99F2-5678073A0327}"=Microsoft Office Live Meeting 2005
"{63F6DCD6-0D5C-4A07-B27C-3AE3E809D6E0}"=DB2 Run-Time Client
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}"=Sonic Express Labeler
"{691773C6-B26C-467A-88D2-8CC1B88EA6F9}"=DB2 Datasources
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7148F0A8-6813-11D6-A77B-00B0D0142060}"=Java 2 Runtime Environment, SE v1.4.2_06
"{7148F0A8-6813-11D6-A77B-00B0D0142120}"=Java 2 Runtime Environment, SE v1.4.2_12
"{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}"=Symantec AntiVirus
"{7E92188F-8AE6-40FF-9FBC-D89872115770}"=Fiberlink Global Remote
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{903A0409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Project Standard 2003
"{90520409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Visio Viewer 2003 (English)
"{90530409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Visio Standard 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}"=InterVideo WinDVD
"{95B30409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Project Add-in for Outlook
"{98A73891-2E04-40AA-B5C4-2FA204A580DF}"=PGP Desktop
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}"=ThinkPad Power Manager
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=RecordNow Audio
"{AC76BA86-1033-F400-BA7E-000000000003}"=Adobe Acrobat 8 Standard - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A81000000003}"=Adobe Reader 8.1.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=RecordNow Copy
"{C05B6265-05DA-44D1-955D-B94E74799BA8}"=Imports
"{C2CDE75C-CA51-4335-9C13-84C00E6093A5}"=Windows Media Player Enterprise Deployment
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B3}"=WinZip 11.0
"{D3165B12-ECC6-4638-A255-65CB4EF47F00}"=VERITAS Enterprise Vault User Extensions 6.0
"{DE8EB6E2-208E-45EC-A171-FFC09C092D5D}"=THD Firewall Authenticator
"{EC122200-F38C-4CA7-9957-3B6FACB842D9}"=DataDirect SequeLink 5.5 Client for ODBC
"{EEB3C032-9817-4232-B0E9-A730AA45C30C}"=Lotus Notes
"{F394DCE6-65EF-4034-A2C8-530462F809DE}"=Platts on the Net
"{F64475E0-49B0-44FF-A0FF-1F6E8EE1DBE7}"=RockPort Installation
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}"=ThinkPad Configuration
"{FC8931FA-B2DB-47D8-A3D5-8D557ED78933}"=Webroot® Client
"Adobe Acrobat 8 Standard - English, Français, Deutsch"=Adobe Acrobat 8 Standard - English, Français, Deutsch
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"ATI Display Driver"=ATI Display Driver
"Citrix ICA Web Client"=Citrix ICA Web Client
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588"=ThinkPad Modem
"eRoom 7"=eRoom 7
"HijackThis"=HijackThis 2.0.2
"IBMCATS"=IBMCATS
"JRE 1.3.1_02"=Java 2 Runtime Environment Standard Edition v1.3.1_02
"LiveUpdate"=LiveUpdate 3.0 (Symantec Corporation)
"matrix42 EmpInventory"=EmpInventory 11.0
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Novell Client for Windows"=Novell Client for Windows
"Office8.0"=Microsoft Office 97, Professional Edition
"Power Management Driver"=ThinkPad Power Management Driver
"Presentation Director"=ThinkPad Presentation Director
"PROSet"=Intel® PRO Network Connections Drivers
"SequeLink Client"=SequeLink Client
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"ThinkPad FullScreen Magnifier"=ThinkPad FullScreen Magnifier
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/10/2008 8:46:05 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Update Agent | ID = 2
Description = Error reading system uptime

Error - 10/10/2008 1:40:55 PM | Computer Name = DVLTPHG8HTA | Source = PatchLink Update Agent | ID = 2
Description = Error reading system uptime

Error - 10/13/2008 8:25:41 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Update Agent | ID = 2
Description = Error reading system uptime

Error - 10/13/2008 1:40:29 PM | Computer Name = DVLTPHG8HTA | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 10/13/2008 1:42:03 PM | Computer Name = DVLTPHG8HTA | Source = PatchLink Update Agent | ID = 2
Description = Error reading system uptime

Error - 10/14/2008 8:40:32 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Update Agent | ID = 2
Description = Error reading system uptime

Error - 10/14/2008 7:49:54 PM | Computer Name = DVLTPHG8HTA | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 10/14/2008 7:49:59 PM | Computer Name = DVLTPHG8HTA | Source = PatchLink Update Agent | ID = 2
Description = Error reading system uptime

Error - 10/14/2008 7:50:57 PM | Computer Name = DVLTPHG8HTA | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 10/14/2008 7:50:58 PM | Computer Name = DVLTPHG8HTA | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

[ Patchlink Events ]
Error - 10/7/2008 11:40:34 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = EvaluateFileOrProductVersion() return error

Error - 10/8/2008 11:34:41 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = EvaluateFileOrProductVersion() return error

Error - 10/8/2008 11:36:17 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = Error occurred posting detection to PLUS (incremental diff) -
error code = -30 error msg = 'Error: Invalid CheckSum'

Error - 10/9/2008 11:36:27 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = EvaluateFileOrProductVersion() return error

Error - 10/10/2008 11:50:07 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = EvaluateFileOrProductVersion() return error

Error - 10/10/2008 11:52:00 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = Error occurred posting detection to PLUS (incremental diff) -
error code = -30 error msg = 'Error: Invalid CheckSum'

Error - 10/13/2008 8:34:58 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = EvaluateFileOrProductVersion() return error

Error - 10/13/2008 8:36:27 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = Error occurred posting detection to PLUS (incremental diff) -
error code = -30 error msg = 'Error: Invalid CheckSum'

Error - 10/13/2008 11:38:03 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = EvaluateFileOrProductVersion() return error

Error - 10/14/2008 11:44:25 AM | Computer Name = DVLTPHG8HTA | Source = PatchLink Detection Agent | ID = 2
Description = EvaluateFileOrProductVersion() return error

[ System Events ]
Error - 10/14/2008 9:08:15 AM | Computer Name = DVLTPHG8HTA | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference
error message: The operation completed successfully. .

Error - 10/14/2008 11:42:49 AM | Computer Name = DVLTPHG8HTA | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 10/14/2008 11:42:49 AM | Computer Name = DVLTPHG8HTA | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 10/14/2008 11:42:49 AM | Computer Name = DVLTPHG8HTA | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80.DLL.
Reference
error message: The operation completed successfully. .

Error - 10/14/2008 7:49:54 PM | Computer Name = DVLTPHG8HTA | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain AMER due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 10/14/2008 7:49:57 PM | Computer Name = DVLTPHG8HTA | Source = PlugPlayManager | ID = 12
Description = The device 'Intel® PRO/1000 PL Network Connection' (PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192ac53f&0&00E0)
disappeared from the system without first being prepared for removal.

Error - 10/14/2008 7:50:00 PM | Computer Name = DVLTPHG8HTA | Source = Print | ID = 23
Description = Printer Fax failed to initialize because a suitable Windows NT Fax
Driver driver could not be found.

Error - 10/14/2008 7:51:19 PM | Computer Name = DVLTPHG8HTA | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 10/14/2008 7:51:21 PM | Computer Name = DVLTPHG8HTA | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 10/14/2008 8:06:19 PM | Computer Name = DVLTPHG8HTA | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.


< End of report >

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 14 October 2008 - 08:53 PM

Hello, paulh5533.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 paulh5533

paulh5533
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 14 October 2008 - 09:17 PM

Thanks for your help Billy. Here's the ComboFix log:



ComboFix 08-10-14.07 - phg8ht 2008-10-14 22:06:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1387 [GMT -4:00]
Running from: C:\Documents and Settings\phg8ht.AMER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\phg8ht.AMER\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\phg8ht.AMER\Application Data\rhcvumj0el8v
C:\Documents and Settings\phg8ht\Local Settings\Temporary Internet Files\i.xls
C:\Program Files\Microsoft Common
C:\Program Files\Microsoft Common\wuauclt.exe
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\dbxDgrevCheck.dll
C:\WINDOWS\system32\JjmWFfhk.ini
C:\WINDOWS\system32\JjmWFfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.
((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-02 13:00 . 2008-10-02 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 12:48 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-16 12:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-16 12:48 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-16 12:48 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 02:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-10-15 02:09 --------- d-----w C:\Program Files\RSDP
2008-10-15 00:40 --------- d-----w C:\Program Files\DesktopAuthority
2008-10-03 12:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-03 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-08 16:14 3,876 ----a-w C:\WINDOWS\system32\vufxiokk.exe
2008-08-07 16:16 3,876 ----a-w C:\WINDOWS\system32\osqaierd.exe
2008-08-06 16:10 3,876 ----a-w C:\WINDOWS\system32\flftvlms.exe
2008-08-06 13:25 3,876 ----a-w C:\WINDOWS\system32\umpcmlom.exe
2008-08-05 13:16 3,876 ----a-w C:\WINDOWS\system32\ttmnijqr.exe
2006-08-21 16:15 9,621,504 ----a-w C:\Program Files\internet explorer\plugins\axbqv32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{393c768e-7a38-4aef-b888-d3e54b555a69}]
2008-07-08 12:23 103936 --a------ C:\WINDOWS\system32\anagxj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-07-17 2321600]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2005-08-15 1015871]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-05 94208]
"NDPS"="C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 32859]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 143360]
"Desktop Authority GUI"="C:\Program Files\DesktopAuthority\rmgui.exe" [2008-02-09 485296]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2007-01-04 421888]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"DA Remote Management GUI"="C:\Program Files\DesktopAuthority\rmgui.exe" [2008-02-09 485296]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\phg8ht\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - C:\Program Files\eRoom 7\ERClient7.exe [2007-07-03 153336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-000000000003}\_SC_Acrobat.exe [2007-07-12 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Backup of Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-05-11 40048]
Backup of Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]
Backup of WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-21 394856]
PGPtray.exe.lnk - C:\WINDOWS\Installer\{98A73891-2E04-40AA-B5C4-2FA204A580DF}\Icon6560581611.exe [2008-01-03 55296]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-21 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDispScrSavPage"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"ConfirmFileDelete"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2007-07-03 15:39 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 22:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 19:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=DAinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpmw32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5631:TCP"= 5631:TCP:PC Anywhere Port 1
"5632:UDP"= 5632:UDP:PC Anywhere Port 2
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pgpfs;PGP File Sharing;C:\WINDOWS\system32\Drivers\PGPfsfd.sys [2007-10-24 97792]
R0 PGPwded;PGPwded Storage Filter Service;C:\WINDOWS\system32\drivers\PGPwded.sys [2007-10-24 172544]
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-09-27 20280]
R1 enstart_;enstart_;C:\WINDOWS\system32\enstart_.sys [2008-04-18 31744]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2006-05-26 4442]
R2 DAInfo;DA Remote Management Kernel Information Provider;C:\Program Files\DesktopAuthority\DAInfo.sys [2008-02-09 12080]
R2 DAMaint;DA Remote Management Maintenance Service;C:\Program Files\DesktopAuthority\DaMaint.exe [2008-02-09 63408]
R2 DAtf;DA Remote Management Token Factory;C:\Program Files\DesktopAuthority\DAtf.sys [2008-02-09 11184]
R2 DesktopAuthority;DA Remote Management Service;C:\Program Files\DesktopAuthority\DesktopAuthority.exe [2008-02-09 1312688]
R2 enstart;enstart;C:\WINDOWS\system32\enstart.exe [2008-04-18 491520]
R2 PGPdisk;PGPdisk;C:\WINDOWS\system32\drivers\PGPdisk.sys [2007-10-24 224256]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2007-10-24 33792]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [2008-02-28 556960]
R2 SniDmi;SniDmi;C:\WINDOWS\system32\drivers\snidmi.sys [2008-06-20 15104]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-08-15 184832]
R4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys [2004-09-09 227285]
S3 DAmirr;DAmirr;C:\WINDOWS\system32\DRIVERS\DAmirr.sys [ ]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-06-19 36676]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-06-19 24344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0db68694-641f-11dd-a7c2-001b7708a2a4}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - E:\system.exe
\Shell\Open\command - E:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db760bae-5862-11dd-a7a7-001b7708a2a4}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-26 01:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{FEF1439E-5344-43F9-995F-B530FC48A047} - C:\WINDOWS\system32\khfFWmjJ.dll
MSConfigStartUp-lphcrumj0el8v - C:\WINDOWS\system32\lphcrumj0el8v.exe
MSConfigStartUp-SMrhcvumj0el8v - C:\Program Files\rhcvumj0el8v\rhcvumj0el8v.exe
MSConfigStartUp-System32 - C:\WINDOWS\system32\winds32.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://cphpdoc1.homedepot.com/
R0 -: HKLM-Main,Start Page = hxxp://cphpdoc1.homedepot.com/
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 -: Trusted Zone: *.gomyhit.com
O15 -: Trusted Zone: *.imageservr.com
O15 -: Trusted Zone: *.imagesrvr.com
O15 -: Trusted Zone: *.storageguardsoft.com

O16 -: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
C:\WINDOWS\Downloaded Program Files\dbplugin.inf
C:\WINDOWS\system32\DNLEng.dll
C:\WINDOWS\system32\dbxDgrevCheck.dll
C:\WINDOWS\eSellerateEngine.dll
C:\WINDOWS\dbplugin.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 22:11:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
-> C:\WINDOWS\system32\NWSHLXNT.dll
-> C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\RSDP\blackd.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Client\CommAgent.exe
C:\Program Files\Webroot\Client\SPYSWEEPER.EXE
.
**************************************************************************
.
Completion time: 2008-10-14 22:15:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-15 02:15:20

Pre-Run: 33,400,778,752 bytes free
Post-Run: 33,611,309,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

246

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 14 October 2008 - 09:49 PM

Hello, paulh5533.
Your system is infected with a Flash Drive infector
Warning: Any flash / jump drives you have connected to this system since your infection have been compromised by a flash drive infector. We are going to run a tool as part of the following fix which will disinfect your machine, as well as clean any flash drives connected to the system. It is advised you connect any flash drives that have been connected to this machine during this time frame to this system for the following fix, in order to disinfect them.

Please let owners of other machines to which you have connected any flash media or drives that their machines may now be infected.

We need to remove the Flash Drive infector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/172494/cant-stop-pop-ups/
    
    suspect::[54]
    C:\WINDOWS\system32\odyEvent.dll
    C:\WINDOWS\system32\enstart_.sys
    C:\Program Files\DesktopAuthority\DesktopAuthority.exe
    
    file::
    C:\WINDOWS\system32\vufxiokk.exe
    C:\WINDOWS\system32\osqaierd.exe
    C:\WINDOWS\system32\flftvlms.exe
    C:\WINDOWS\system32\umpcmlom.exe
    C:\WINDOWS\system32\ttmnijqr.exe
    C:\Program Files\internet explorer\plugins\axbqv32.dll
    C:\WINDOWS\system32\anagxj.dll
    E:\system.exe
    
    registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{393c768e-7a38-4aef-b888-d3e54b555a69}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0db68694-641f-11dd-a7c2-001b7708a2a4}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db760bae-5862-11dd-a7a7-001b7708a2a4}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
    
    driver::
    DAmirr
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 paulh5533

paulh5533
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 14 October 2008 - 10:28 PM

Here's the new ComboFix log:



ComboFix 08-10-14.07 - phg8ht 2008-10-14 23:16:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1448 [GMT -4:00]
Running from: C:\Documents and Settings\phg8ht.AMER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\phg8ht.AMER\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\internet explorer\plugins\axbqv32.dll
C:\WINDOWS\system32\anagxj.dll
C:\WINDOWS\system32\flftvlms.exe
C:\WINDOWS\system32\osqaierd.exe
C:\WINDOWS\system32\ttmnijqr.exe
C:\WINDOWS\system32\umpcmlom.exe
C:\WINDOWS\system32\vufxiokk.exe
E:\system.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\plugins\axbqv32.dll
C:\WINDOWS\system32\anagxj.dll
C:\WINDOWS\system32\flftvlms.exe
C:\WINDOWS\system32\osqaierd.exe
C:\WINDOWS\system32\ttmnijqr.exe
C:\WINDOWS\system32\umpcmlom.exe
C:\WINDOWS\system32\vufxiokk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_DAmirr


((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-02 13:00 . 2008-10-02 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 12:48 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-16 12:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-16 12:48 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-16 12:48 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 03:21 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-10-15 03:20 --------- d-----w C:\Program Files\RSDP
2008-10-15 03:16 --------- d-----w C:\Program Files\DesktopAuthority
2008-10-03 12:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-03 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
.

((((((((((((((((((((((((((((( snapshot@2008-10-14_22.14.52.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-15 03:21:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b4.dat
+ 2008-10-15 03:21:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-07-17 2321600]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2005-08-15 1015871]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-05 94208]
"NDPS"="C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 32859]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 143360]
"Desktop Authority GUI"="C:\Program Files\DesktopAuthority\rmgui.exe" [2008-02-09 485296]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2007-01-04 421888]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"DA Remote Management GUI"="C:\Program Files\DesktopAuthority\rmgui.exe" [2008-02-09 485296]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\phg8ht\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - C:\Program Files\eRoom 7\ERClient7.exe [2007-07-03 153336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-000000000003}\_SC_Acrobat.exe [2007-07-12 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Backup of Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-05-11 40048]
Backup of Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]
Backup of WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-21 394856]
PGPtray.exe.lnk - C:\WINDOWS\Installer\{98A73891-2E04-40AA-B5C4-2FA204A580DF}\Icon6560581611.exe [2008-01-03 55296]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-21 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDispScrSavPage"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"ConfirmFileDelete"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2007-07-03 15:39 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 22:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 19:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=DAinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpmw32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5631:TCP"= 5631:TCP:PC Anywhere Port 1
"5632:UDP"= 5632:UDP:PC Anywhere Port 2
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pgpfs;PGP File Sharing;C:\WINDOWS\system32\Drivers\PGPfsfd.sys [2007-10-24 97792]
R0 PGPwded;PGPwded Storage Filter Service;C:\WINDOWS\system32\drivers\PGPwded.sys [2007-10-24 172544]
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-09-27 20280]
R1 enstart_;enstart_;C:\WINDOWS\system32\enstart_.sys [2008-04-18 31744]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2006-05-26 4442]
R2 DAInfo;DA Remote Management Kernel Information Provider;C:\Program Files\DesktopAuthority\DAInfo.sys [2008-02-09 12080]
R2 DAMaint;DA Remote Management Maintenance Service;C:\Program Files\DesktopAuthority\DaMaint.exe [2008-02-09 63408]
R2 DAtf;DA Remote Management Token Factory;C:\Program Files\DesktopAuthority\DAtf.sys [2008-02-09 11184]
R2 enstart;enstart;C:\WINDOWS\system32\enstart.exe [2008-04-18 491520]
R2 PGPdisk;PGPdisk;C:\WINDOWS\system32\drivers\PGPdisk.sys [2007-10-24 224256]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2007-10-24 33792]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [2008-02-28 556960]
R2 SniDmi;SniDmi;C:\WINDOWS\system32\drivers\snidmi.sys [2008-06-20 15104]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-08-15 184832]
S2 DesktopAuthority;DA Remote Management Service;C:\Program Files\DesktopAuthority\DesktopAuthority.exe [2008-02-09 1312688]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-06-19 36676]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-06-19 24344]
S4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys [2004-09-09 227285]
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-26 01:13]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 23:22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
-> C:\WINDOWS\system32\NWSHLXNT.dll
-> C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\RSDP\blackd.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Client\CommAgent.exe
C:\Program Files\Webroot\Client\SPYSWEEPER.EXE
.
**************************************************************************
.
Completion time: 2008-10-14 23:26:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-15 03:26:18
ComboFix2.txt 2008-10-15 02:15:27

Pre-Run: 33,583,595,520 bytes free
Post-Run: 33,554,776,064 bytes free

202

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 15 October 2008 - 05:43 AM

Hello, paulh5533.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 19 October 2008 - 09:16 PM

Hello, paulh5533.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:20 AM

Posted 20 October 2008 - 05:28 PM

Hello, paulh5533.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users