Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS removed using Combofix, files in root d:\ do not open now


  • This topic is locked This topic is locked
24 replies to this topic

#1 hartley

hartley

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 01 October 2009 - 08:05 AM

Infected with Rootkit.TDSS. Apparently removed using Combofix. I ran it from D:\ instead of desktop. Computer seems to be running fine now but I can not open any files that were in root d:\ These files include .doc, .jpg, .pdf, .txt files. The folders in d:\ are ok and files inside the folders are still fine and can be opened. Everything else is also ok.

1) Why is it important to run Combofix from the desktop? (it is instructed but I have not come across any explanation for it).
2) Double clicking on the mentioned files opens them but with various error messages. txt files open with garbled characters.
3) I have Credant mobile guardian running on the machine.

Thanks for comments and ideas.

----------------------------------------------------------------------------------------------------------------------------------------------
Blade's comments below.......

http://www.bleepingcomputer.com/forums/t/261296/removed-rootkittdss-using-combofix-files-in-root-d-do-not-open-now/

ComboFix (CF for short) is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. When CF is run without trained assistance, it can no longer be considered a "safe" tool. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

***************************************************


QUOTE
1) Why is it important to run Combofix from the desktop? (it is instructed but I have not come across any explanation for it).

At the request of the author, information about the inner workings of CF are not available for public view. That's the decision of the creator and we will abide by that decision. However, I will say that every instruction given by Staff here at BC is done so for the benefit of the user. Disregarding any detail can have serious consequences.

You will need to post a DDS log in the HJT forum so that a HJT Team member can take a look at your situation and see if the damage can be reversed.
Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. It will likely take 12-14 days for a reply due to the backlog of help requests.

~Blade









DDS (Ver_09-09-29.01) - NTFSx86
Run by smansoor at 7:03:46.81 on Thu 10/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.182 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
c:\PROGRA~1\Novadigm\radexecd.exe
c:\PROGRA~1\Novadigm\radsched.exe
c:\PROGRA~1\Novadigm\Radstgms.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\smansoor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Translator: {ff284f5c-7cf9-4682-8701-d467c1dbb99f} - d:\program files\prmt78\prmtie\prmtie.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CMGShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [RUNRADTRAY] c:\progra~1\novadigm\radtray.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [EXCEEDLOGS] RemoveExceedLogs.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [PSLIST] REG.EXE ADD HKCU\SOFTWARE\SYSINTERNALS\PSLIST /v EulaAccepted /t REG_DWORD /d 1 /F
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\program files\connected\CBSysTray.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - d:\program files\prmt78\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - d:\program files\prmt78\prmtie\options.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2009-4-8 404592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-9-27 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-9-27 46864]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-7-16 31816]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-7-31 33664]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [2009-4-8 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [2009-4-8 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [2007-5-7 52432]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-7-16 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-7-16 54608]
R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\novadigm\radexecd.exe [2007-2-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\novadigm\radsched.exe [2008-4-30 172210]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\novadigm\Radstgms.exe [2007-3-20 315570]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [2007-5-7 109312]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2005-3-1 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2005-3-1 10752]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-2-17 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-2-17 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-2-17 174952]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\r72_nt4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 ThreatFire;ThreatFire;d:\program files\threatfire\tfservice.exe service --> d:\program files\threatfire\TFService.exe service [?]
S3 0187;0187;\??\c:\windows\system32\0187.sys --> c:\windows\system32\0187.sys [?]
S3 0b613;0b613;\??\c:\windows\system32\0b613.sys --> c:\windows\system32\0b613.sys [?]
S3 0feB;0feB;\??\c:\windows\system32\0feb.sys --> c:\windows\system32\0feB.sys [?]
S3 2e3D;2e3D;\??\c:\windows\system32\2e3d.sys --> c:\windows\system32\2e3D.sys [?]
S3 4659;4659;\??\c:\windows\system32\4659.sys --> c:\windows\system32\4659.sys [?]
S3 76815;76815;\??\c:\windows\system32\76815.sys --> c:\windows\system32\76815.sys [?]
S3 c8210;c8210;\??\c:\windows\system32\c8210.sys --> c:\windows\system32\c8210.sys [?]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2009-4-8 161128]
S3 d8914;d8914;\??\c:\windows\system32\d8914.sys --> c:\windows\system32\d8914.sys [?]
S3 d8dF;d8dF;\??\c:\windows\system32\d8df.sys --> c:\windows\system32\d8dF.sys [?]
S3 ec78;ec78;\??\c:\windows\system32\ec78.sys --> c:\windows\system32\ec78.sys [?]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [2005-1-10 10240]
S3 f7211;f7211;\??\c:\windows\system32\f7211.sys --> c:\windows\system32\f7211.sys [?]
S3 ff2C;ff2C;\??\c:\windows\system32\ff2c.sys --> c:\windows\system32\ff2C.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-12-31 693512]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-12-31 910600]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [2001-4-14 22474]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-9-27 33552]
S4 PD9Engine;PD9Engine;c:\program files\raxco\perfectdiskrx\PD9Engine.exe [2007-6-18 689680]

=============== Created Last 30 ================

2009-10-01 07:03 --d----- c:\temp\RarSFX0
2009-09-30 18:13 --d----- c:\temp\hsperfdata_smansoor
2009-09-30 16:39 --d----- c:\temp\WPDNSE
2009-09-30 14:57 --d----- c:\temp\VBDATA
2009-09-30 14:39 --d----- c:\temp\VBE
2009-09-30 14:37 3,255 a------- c:\windows\system32\wbem\Outlook_01ca42056bccbdee.mof
2009-09-30 13:23 3,255 a------- c:\windows\system32\wbem\Outlook_01ca41fb1f37276a.mof
2009-09-30 13:23 --d----- c:\temp\outlook logging
2009-09-30 13:22 --ds---- C:\ComboFix
2009-09-30 13:21 389,120 a------- c:\windows\system32\cmd.execf
2009-09-30 13:21 7 a------- C:\DF_RMS
2009-09-30 08:52 53,248 a------- c:\temp\catchme.dll
2009-09-30 08:24 --d----- c:\temp\W2K
2009-09-30 08:24 --d----- c:\temp\EPO
2009-09-30 08:24 --d----- c:\temp\RADIA
2009-09-29 13:13 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-29 13:13 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-29 13:13 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-09-29 13:13 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-09-29 13:13 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-09-29 13:13 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-09-29 13:13 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-09-29 13:13 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-09-29 13:11 604,253 ac------ c:\windows\system32\dllcache\vmodem.sys
2009-09-29 13:10 50,176 ac------ c:\windows\system32\dllcache\umaxp60.dll
2009-09-29 13:09 138,528 ac------ c:\windows\system32\dllcache\tgiulnt5.sys
2009-09-29 13:08 53,248 ac------ c:\windows\system32\dllcache\stlncoin.dll
2009-09-29 13:07 45,568 ac------ c:\windows\system32\dllcache\smb3w.dll
2009-09-29 13:06 6,784 ac------ c:\windows\system32\dllcache\serscan.sys
2009-09-29 13:05 82,432 ac------ c:\windows\system32\dllcache\rwia450.dll
2009-09-29 13:05 --d----- c:\temp\jkos-smansoor
2009-09-29 13:04 40,448 ac------ c:\windows\system32\dllcache\ql1240.sys
2009-09-29 13:03 105,984 ac------ c:\windows\system32\dllcache\phdsext.ax
2009-09-29 13:02 25,088 ac------ c:\windows\system32\dllcache\ovca.sys
2009-09-29 13:01 15,872 ac------ c:\windows\system32\dllcache\ne2000.sys
2009-09-29 13:00 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-09-29 12:59 22,848 ac------ c:\windows\system32\dllcache\lwusbhid.sys
2009-09-29 12:58 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-09-29 12:57 20,480 ac------ c:\windows\system32\dllcache\icam5ext.dll
2009-09-29 12:56 9,759 ac------ c:\windows\system32\dllcache\hsf_inst.dll
2009-09-29 12:55 59,136 ac------ c:\windows\system32\dllcache\gckernel.sys
2009-09-29 12:54 45,568 ac------ c:\windows\system32\dllcache\esunib.dll
2009-09-29 12:53 50,719 ac------ c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 12:52 14,720 ac------ c:\windows\system32\dllcache\dac960nt.sys
2009-09-29 12:51 164,923 ac------ c:\windows\system32\dllcache\diapi2.sys
2009-09-29 12:50 382,592 ac------ c:\windows\system32\dllcache\atidrab.dll
2009-09-28 13:49 --d----- c:\program files\WinPcap
2009-09-28 13:48 --d----- c:\program files\Sector69
2009-09-28 10:36 --d----- c:\temp\MessengerCache
2009-09-27 18:32 7 a------- c:\windows\system32\DF_RMS
2009-09-27 14:44 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-09-27 14:44 50,176 a------- c:\windows\system32\proquota.exe
2009-09-27 14:08 a-dshr-- C:\cmdcons
2009-09-27 14:08 --d----- c:\windows\setup.pss
2009-09-27 14:07 --d----- c:\windows\setupupd
2009-09-27 13:03 --d----- c:\program files\common files\Wise Installation Wizard
2009-09-27 12:49 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-09-27 12:49 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-09-27 12:49 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-09-27 11:06 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-22 09:01 --d----- c:\program files\Windows Live SkyDrive
2009-09-22 08:57 --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 08:35 61,224 a------- c:\documents and settings\smansoor\GoToAssistDownloadHelper.exe
2009-08-01 09:39 22,016 a------- c:\windows\system32\AdobePDF.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2008-10-13 08:45 88 ---shr-- c:\windows\system32\087FC146C5.sys
2008-10-13 08:45 3,818 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-06-11 17:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2008-01-12 11:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011220080113\index.dat

============= FINISH: 7:04:27.24 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:45 PM

Posted 19 October 2009 - 03:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 hartley

hartley
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 19 October 2009 - 06:40 AM

Thank you for responding. Problem details are at the start of the original post.



DDS (Ver_09-10-13.01) - NTFSx86
Run by smansoor at 6:33:40.65 on Mon 10/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.312 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
c:\PROGRA~1\Novadigm\radexecd.exe
c:\PROGRA~1\Novadigm\radsched.exe
c:\PROGRA~1\Novadigm\Radstgms.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
C:\Documents and Settings\smansoor\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://hub.slb.com
uDefault_Page_URL = hxxp://hub.slb.com
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Translator: {ff284f5c-7cf9-4682-8701-d467c1dbb99f} - d:\program files\prmt78\prmtie\prmtie.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Advanced SystemCare 3] "d:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [CMGShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [RUNRADTRAY] c:\progra~1\novadigm\radtray.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [EXCEEDLOGS] RemoveExceedLogs.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [PSLIST] REG.EXE ADD HKCU\SOFTWARE\SYSINTERNALS\PSLIST /v EulaAccepted /t REG_DWORD /d 1 /F
mRunOnce: [SLBRMS_Check] c:\progra~1\novadigm\RADREXXW.EXE VIPEVENT.REX SLBRMS
mRunOnce: [SLB_RMS] regedit /s c:\temp\radia\ms_office_2k7_rms\rms_client\RMS.cfg
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\program files\connected\CBSysTray.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - d:\program files\prmt78\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - d:\program files\prmt78\prmtie\options.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\smansoor\applic~1\mozilla\firefox\profiles\7hy4ppd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hub.slb.com/
FF - plugin: c:\documents and settings\smansoor\application data\mozilla\firefox\profiles\7hy4ppd3.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2009-4-8 404592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-9-27 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-9-27 46864]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-7-31 33664]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [2009-4-8 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [2009-4-8 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [2007-5-7 52432]
R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\novadigm\radexecd.exe [2007-2-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\novadigm\radsched.exe [2009-6-5 172210]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\novadigm\Radstgms.exe [2009-2-17 315570]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [2007-5-7 109312]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2005-3-1 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2005-3-1 10752]
R3 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-12-31 693512]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\r72_nt4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 ThreatFire;ThreatFire;d:\program files\threatfire\tfservice.exe service --> d:\program files\threatfire\TFService.exe service [?]
S3 0187;0187;\??\c:\windows\system32\0187.sys --> c:\windows\system32\0187.sys [?]
S3 0b613;0b613;\??\c:\windows\system32\0b613.sys --> c:\windows\system32\0b613.sys [?]
S3 0feB;0feB;\??\c:\windows\system32\0feb.sys --> c:\windows\system32\0feB.sys [?]
S3 2e3D;2e3D;\??\c:\windows\system32\2e3d.sys --> c:\windows\system32\2e3D.sys [?]
S3 4659;4659;\??\c:\windows\system32\4659.sys --> c:\windows\system32\4659.sys [?]
S3 76815;76815;\??\c:\windows\system32\76815.sys --> c:\windows\system32\76815.sys [?]
S3 c8210;c8210;\??\c:\windows\system32\c8210.sys --> c:\windows\system32\c8210.sys [?]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2009-4-8 161128]
S3 d8914;d8914;\??\c:\windows\system32\d8914.sys --> c:\windows\system32\d8914.sys [?]
S3 d8dF;d8dF;\??\c:\windows\system32\d8df.sys --> c:\windows\system32\d8dF.sys [?]
S3 ec78;ec78;\??\c:\windows\system32\ec78.sys --> c:\windows\system32\ec78.sys [?]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [2005-1-10 10240]
S3 f7211;f7211;\??\c:\windows\system32\f7211.sys --> c:\windows\system32\f7211.sys [?]
S3 ff2C;ff2C;\??\c:\windows\system32\ff2c.sys --> c:\windows\system32\ff2C.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-12-31 910600]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [2001-4-14 22474]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-9-27 33552]
S4 PD9Engine;PD9Engine;c:\program files\raxco\perfectdiskrx\PD9Engine.exe [2007-6-18 689680]

=============== Created Last 30 ================

2009-10-19 06:33 <DIR> --d----- c:\temp\16F.tmp
2009-10-18 11:54 <DIR> --d----- c:\temp\wzafe9
2009-10-16 14:50 <DIR> --d----- c:\temp\ExecLogs
2009-10-13 15:06 <DIR> --d----- c:\documents and settings\smansoor\My Pictures
2009-10-13 11:52 <DIR> --d----- c:\documents and settings\smansoor\dwhelper
2009-10-12 08:11 <DIR> --dsh--- c:\documents and settings\smansoor\PrivacIE
2009-10-12 08:05 <DIR> --dsh--- c:\documents and settings\smansoor\IETldCache
2009-10-12 07:54 <DIR> --d----- c:\windows\ie8updates
2009-10-12 07:50 <DIR> -cd-h--- c:\windows\ie8
2009-10-12 07:43 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-10-12 07:43 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-10-12 07:43 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-10-01 15:23 <DIR> --dshr-- C:\cmdcons
2009-10-01 15:23 <DIR> --d----- c:\windows\setupupd
2009-09-30 14:37 3,255 a------- c:\windows\system32\wbem\Outlook_01ca42056bccbdee.mof
2009-09-30 13:23 3,255 a------- c:\windows\system32\wbem\Outlook_01ca41fb1f37276a.mof
2009-09-30 13:21 389,120 a------- c:\windows\system32\cmd.execf
2009-09-30 13:21 7 a------- C:\DF_RMS
2009-09-29 13:13 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-29 13:13 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-29 13:13 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-09-29 13:13 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-09-29 13:13 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-09-29 13:13 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-09-29 13:13 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-09-29 13:13 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-09-29 13:11 604,253 ac------ c:\windows\system32\dllcache\vmodem.sys
2009-09-29 13:10 50,176 ac------ c:\windows\system32\dllcache\umaxp60.dll
2009-09-29 13:09 138,528 ac------ c:\windows\system32\dllcache\tgiulnt5.sys
2009-09-29 13:08 53,248 ac------ c:\windows\system32\dllcache\stlncoin.dll
2009-09-29 13:07 45,568 ac------ c:\windows\system32\dllcache\smb3w.dll
2009-09-29 13:06 6,784 ac------ c:\windows\system32\dllcache\serscan.sys
2009-09-29 13:05 82,432 ac------ c:\windows\system32\dllcache\rwia450.dll
2009-09-29 13:04 40,448 ac------ c:\windows\system32\dllcache\ql1240.sys
2009-09-29 13:03 105,984 ac------ c:\windows\system32\dllcache\phdsext.ax
2009-09-29 13:02 25,088 ac------ c:\windows\system32\dllcache\ovca.sys
2009-09-29 13:01 15,872 ac------ c:\windows\system32\dllcache\ne2000.sys
2009-09-29 13:00 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-09-29 12:59 22,848 ac------ c:\windows\system32\dllcache\lwusbhid.sys
2009-09-29 12:58 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-09-29 12:57 20,480 ac------ c:\windows\system32\dllcache\icam5ext.dll
2009-09-29 12:56 9,759 ac------ c:\windows\system32\dllcache\hsf_inst.dll
2009-09-29 12:55 59,136 ac------ c:\windows\system32\dllcache\gckernel.sys
2009-09-29 12:54 45,568 ac------ c:\windows\system32\dllcache\esunib.dll
2009-09-29 12:53 50,719 ac------ c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 12:52 14,720 ac------ c:\windows\system32\dllcache\dac960nt.sys
2009-09-29 12:51 164,923 ac------ c:\windows\system32\dllcache\diapi2.sys
2009-09-29 12:50 382,592 ac------ c:\windows\system32\dllcache\atidrab.dll
2009-09-28 13:49 <DIR> --d----- c:\program files\WinPcap
2009-09-28 13:48 <DIR> --d----- c:\program files\Sector69
2009-09-28 10:36 <DIR> --d----- c:\temp\MessengerCache
2009-09-27 18:32 7 a------- c:\windows\system32\DF_RMS
2009-09-27 14:44 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-09-27 14:44 50,176 a------- c:\windows\system32\proquota.exe
2009-09-27 14:08 <DIR> --d----- c:\windows\setup.pss
2009-09-27 13:03 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-27 12:49 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-09-27 12:49 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-09-27 12:49 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-09-27 11:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-22 09:01 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-09-22 08:57 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-29 03:08 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 08:35 61,224 a------- c:\documents and settings\smansoor\GoToAssistDownloadHelper.exe
2009-08-01 09:39 22,016 a------- c:\windows\system32\AdobePDF.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2008-10-13 08:45 88 ---shr-- c:\windows\system32\087FC146C5.sys
2008-10-13 08:45 3,818 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-06-11 17:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2008-01-12 11:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011220080113\index.dat

============= FINISH: 6:34:09.97 ===============

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:45 PM

Posted 21 October 2009 - 01:06 PM

Hello, hartley and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.






Please post the content of C:\Combofix.txt for my review, then we can start helping you fixing your problems :(
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 hartley

hartley
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 23 October 2009 - 08:13 AM

Hello Tom,

Thank you for responding. The Combofix that was run on this computer was actually removed using the uninstall switch. I believe the txt file does not exit either. I dont know if that is good news or bad news. Please let me know if there is anything else we can do. I am searching for the text file though.

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:45 PM

Posted 23 October 2009 - 02:41 PM

Hi,

Let's do the following:


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 hartley

hartley
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 24 October 2009 - 08:38 PM

ComboFix 09-10-24.01 - smansoor 10/24/2009 20:23.6.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.505 [GMT -5:00]
Running from: c:\documents and settings\smansoor\Desktop\schrauber.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 01:28 . 2009-10-25 01:28 53248 ----a-w- c:\temp\catchme.dll
2009-10-25 01:23 . 2009-10-25 01:23 -------- d-----w- c:\temp\WPDNSE
2009-10-24 23:17 . 2009-10-24 23:17 -------- d-----r- c:\documents and settings\smansoor\My Pictures
2009-10-24 22:11 . 2009-10-24 22:11 -------- d-----w- c:\temp\VBE
2009-10-24 21:58 . 2009-10-25 00:03 -------- d-----w- c:\temp\W2K
2009-10-24 21:58 . 2009-10-25 00:03 -------- d-----w- c:\temp\EPO
2009-10-24 21:50 . 2009-10-25 00:03 -------- d-----w- c:\temp\RADIA
2009-10-22 22:56 . 2009-10-23 06:16 -------- d-----w- c:\temp\hsperfdata_SMansoor
2009-10-17 18:17 . 2009-10-17 18:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-17 18:14 . 2009-10-17 18:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-10-17 18:13 . 2009-10-17 18:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-16 06:24 . 2009-10-16 06:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-13 16:52 . 2009-10-13 16:52 -------- d-----w- c:\documents and settings\smansoor\dwhelper
2009-10-12 18:02 . 2009-10-12 18:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-12 13:11 . 2009-10-12 13:11 -------- d-sh--w- c:\documents and settings\smansoor\PrivacIE
2009-10-12 13:05 . 2009-10-12 13:05 -------- d-sh--w- c:\documents and settings\smansoor\IETldCache
2009-10-12 12:54 . 2009-10-16 06:23 -------- d-----w- c:\windows\ie8updates
2009-10-12 12:50 . 2009-10-12 12:52 -------- dc-h--w- c:\windows\ie8
2009-10-12 12:48 . 2009-10-12 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-12 12:43 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-12 12:43 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-12 12:43 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-12 12:05 . 2009-10-12 12:05 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 12:05 . 2009-10-12 12:05 -------- d-----w- c:\documents and settings\smansoor\Local Settings\Application Data\Mozilla
2009-09-30 19:57 . 2009-09-30 19:58 -------- d-----w- C:\ERDNT
2009-09-29 18:13 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-29 18:13 . 2008-04-14 10:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-29 18:13 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-29 18:13 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-29 18:13 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-29 18:13 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-29 18:13 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-09-29 18:13 . 2008-04-14 03:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-09-29 18:11 . 2001-08-17 18:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2009-09-29 18:10 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2009-09-29 18:09 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-09-29 18:08 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-09-29 18:07 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2009-09-29 18:06 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2009-09-29 18:05 . 2001-08-18 03:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2009-09-29 18:04 . 2001-08-17 18:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys
2009-09-29 18:03 . 2008-04-14 10:40 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2009-09-29 18:02 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-09-29 18:01 . 2001-08-17 18:49 15872 -c--a-w- c:\windows\system32\dllcache\ne2000.sys
2009-09-29 18:00 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-09-29 17:59 . 2008-04-14 03:09 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2009-09-29 17:58 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-29 17:57 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-09-29 17:56 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2009-09-29 17:55 . 2008-04-14 05:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2009-09-29 17:54 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2009-09-29 17:53 . 2001-08-17 17:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 17:52 . 2001-08-17 18:52 14720 -c--a-w- c:\windows\system32\dllcache\dac960nt.sys
2009-09-29 17:51 . 2001-08-17 17:13 164923 -c--a-w- c:\windows\system32\dllcache\diapi2.sys
2009-09-29 17:50 . 2001-08-17 19:56 137216 -c--a-w- c:\windows\system32\dllcache\atidrae.dll
2009-09-28 20:03 . 2009-10-22 15:15 -------- d-----w- c:\documents and settings\smansoor\Application Data\vlc
2009-09-28 18:49 . 2009-09-28 18:49 -------- d-----w- c:\program files\WinPcap
2009-09-28 18:48 . 2009-09-28 18:48 -------- d-----w- c:\program files\Sector69
2009-09-27 19:44 . 2008-04-14 10:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-27 19:44 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-27 18:03 . 2009-09-27 18:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-27 17:49 . 2009-06-19 20:37 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-27 16:06 . 2009-09-28 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 21:58 . 2007-05-07 16:23 -------- d-----w- c:\program files\Novadigm
2009-10-24 21:56 . 2007-05-07 21:10 -------- d-----w- c:\program files\Connected
2009-10-22 15:16 . 2009-01-16 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 18:13 . 2009-05-27 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Credant
2009-10-17 18:01 . 2007-06-11 15:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-17 13:56 . 2009-08-23 20:53 -------- d-----w- c:\documents and settings\smansoor\Application Data\IObit
2009-10-08 22:09 . 2007-12-26 18:23 420 ----a-w- c:\windows\License.Dat
2009-10-02 01:29 . 2007-05-07 15:54 -------- d-----w- c:\program files\microsoft frontpage
2009-09-30 23:52 . 2007-08-01 00:48 46416 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 18:36 . 2007-05-07 16:24 46416 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 01:45 . 2009-01-09 23:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-27 00:10 . 2009-07-06 00:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-22 14:01 . 2008-09-03 20:56 -------- d-----w- c:\program files\Microsoft
2009-09-22 14:01 . 2009-09-22 14:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-22 14:00 . 2008-02-27 20:03 -------- d-----w- c:\program files\Windows Live
2009-09-22 13:57 . 2009-09-22 13:57 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-22 01:35 . 2009-02-27 20:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 19:54 . 2009-06-21 17:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-21 17:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-09 15:58 . 2009-08-09 15:58 116448 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:35 . 2009-08-04 13:35 61224 ----a-w- c:\documents and settings\smansoor\GoToAssistDownloadHelper.exe
2009-08-01 14:39 . 2009-08-01 14:39 22016 ----a-w- c:\windows\system32\AdobePDF.dll
2008-10-13 13:45 . 2008-09-08 18:54 88 --sh--r- c:\windows\system32\087FC146C5.sys
2008-10-13 13:45 . 2008-09-08 18:40 3818 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Advanced SystemCare 3"="d:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"RUNRADTRAY"="c:\progra~1\Novadigm\radtray.exe" [2008-01-04 241844]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5730144]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"EXCEEDLOGS"="RemoveExceedLogs.exe" - d:\program files\Schlumberger\MAXIS\16C0-147\BIN\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"="EmsServiceHelper.exe" - c:\windows\system32\EMSServiceHelper.exe [2009-04-08 1967464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Connected TaskBar Icon.LNK - c:\program files\Connected\CBSysTray.exe [2007-11-2 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-04 13:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 00:44 34304 ----a-w- c:\windows\system32\ScCertProp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 18:18 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 15:13 161128 ----a-w- c:\windows\system32\CmgShieldNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autochk

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\0\0]
"Script"=changeprofile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\1\0]
"Script"=RadiaVeriClean_040309.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\2\0]
"Script"=remove-aodc.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK
backup=c:\windows\pss\Connected TaskBar Icon.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
path=
backup=c:\windows\pss\Log Printer Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2 (0x2)
"PD91Engine"=3 (0x3)
"PD91Agent"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\RadUIShell.exe"= c:\\Program Files\\Novadigm\\raduishell.exe
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\Connected\\COBackup.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"d:\\Program Files\\FTL\\FTL.exe"=
"d:\\Program Files\\FTL\\FTLAgent.Net.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtProc1.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\ECCenter1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52311:UDP"= 52311:UDP:BES Client
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/8/2009 10:14 404592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/27/2009 12:49 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/27/2009 12:49 46864]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [4/30/2008 14:54 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/8/2009 10:11 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 10:08 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [5/7/2007 17:19 52432]
R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [2/20/2007 13:59 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [6/5/2009 18:05 172210]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [2/17/2009 14:15 315570]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [5/7/2007 17:30 109312]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [3/1/2005 5:43 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [3/1/2005 5:43 10752]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 ThreatFire;ThreatFire;d:\program files\ThreatFire\TFService.exe service --> d:\program files\ThreatFire\TFService.exe service [?]
S3 0187;0187;\??\c:\windows\system32\0187.sys --> c:\windows\system32\0187.sys [?]
S3 0b613;0b613;\??\c:\windows\system32\0b613.sys --> c:\windows\system32\0b613.sys [?]
S3 0feB;0feB;\??\c:\windows\system32\0feB.sys --> c:\windows\system32\0feB.sys [?]
S3 2e3D;2e3D;\??\c:\windows\system32\2e3D.sys --> c:\windows\system32\2e3D.sys [?]
S3 4659;4659;\??\c:\windows\system32\4659.sys --> c:\windows\system32\4659.sys [?]
S3 76815;76815;\??\c:\windows\system32\76815.sys --> c:\windows\system32\76815.sys [?]
S3 c8210;c8210;\??\c:\windows\system32\c8210.sys --> c:\windows\system32\c8210.sys [?]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 10:13 161128]
S3 d8914;d8914;\??\c:\windows\system32\d8914.sys --> c:\windows\system32\d8914.sys [?]
S3 d8dF;d8dF;\??\c:\windows\system32\d8dF.sys --> c:\windows\system32\d8dF.sys [?]
S3 ec78;ec78;\??\c:\windows\system32\ec78.sys --> c:\windows\system32\ec78.sys [?]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [1/10/2005 13:49 10240]
S3 f7211;f7211;\??\c:\windows\system32\f7211.sys --> c:\windows\system32\f7211.sys [?]
S3 ff2C;ff2C;\??\c:\windows\system32\ff2C.sys --> c:\windows\system32\ff2C.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 15:22 34064]
S3 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 13:12 693512]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 13:12 910600]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [4/14/2001 0:22 22474]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/27/2009 12:49 33552]
S4 PD9Engine;PD9Engine;c:\program files\Raxco\PerfectDiskRx\PD9Engine.exe [6/18/2007 14:11 689680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-25 c:\windows\Tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hub.slb.com
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - d:\program files\PRMT78\PRMTIE\prmtie5.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - d:\program files\PRMT78\PRMTIE\options.htm
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hub.slb.com/
FF - plugin: c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="14A2AC740BE21EA588D2C33DFD3946F9C5831E008DAA9FC45636D314C5D8E9D2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67948EDD5E5BE2F6E667A9C6AECB7A5D14079C0D6B16936BD8BCA4B07FB9E04F642258608F183BE2ACFB88AFE266F7CF3C9507F00943BB9B171B1B753245D4ABB8AFB6534B1C5755D31288BF6DBB1983F0D3D6FD231E72E45620A754F48CD1B24092C41BC906A482E49D82D39927862656FEDFD6ED294A21A0CA6E0A30F5CAA84A7B13AE4B3D92B79720923A1C2FCDB0A60B6AC2322E9092D49E8276E12669B6FA2022A6A0E9C726729F4666391CB07EEDEDB3AECAB442DC2624EC9E1A0C076ACAB76942B1781B6653A5A0EDCE7EA44D90226A2A2A8F92891AE5AC2C80D6B3B58400D1E2771B9AF16ABF988CCB27D2C142A6B369D24F68838C74B0ECCB7AB2EDC839390E80C585A6BB7E1A2232AC1AE38D7DA6435DCB5D9C2D62DE4FCB30FCCB8AA7F1EDEF3350C7227904AF1AE88A9DCF2E4FB4F6204087FB48116ADF73BCED9214C2D07BDE247BC8C928DD2F7AE9BFBB422E5EDDAC155ED24292757C83D2547BCCE4296C8BDDCB310C4FF5304232FCD54937816992109BDA6E25CEADE450E5369F068A23BC8DA8AFE2B3686F6811EB7955D1087FBA1D2212F07EF58FE1806A84E349B1103DF7E1EDF483C7D555E689D2FEDA7E9CCE5A35CCF2C6915203DA10016F447A3A1A94AFE669E3C85F38CA3464DD2292523F9A7CB19D1BE93C1C916815A180E73B23112CEDEEE8C9190385AF8412EB1A44BDE3853BA38DEAA63E076903D97D9EC26E4E55A5B7A0C726EB14A3DA3FEE8CA943F0BFB6B422267EC3536A5C7C2B6A12545F0E87F98765C0EB289A688A5984D08AB000498CD1D0C4C7C1AB88F2F03880730E1C5F6D13EA31C328057C1FC943181145FE69E409430F2AD1CCC5A9A899762BD6AA505128C1D8722D35BDACD3AC741C8558607CAA7A888F3752A11120C4F322E8484D66A379A941056326E30048ED31FA8DCC198A976AE05828811E191389412A65A073D1462B38302C02FB4B42A21D65822480725F89C8D21A1CC8C983DFB432DA65C1F87CF725E40CF530A4E940ECB7FE2A001EBBC939F5597D8EDC38AEEE4F620C9DCE18C11C8DE7F4BFF0330D7517AF7CE43FB724E3C27C0570EF7546A300995B59FD394972C5084AEB87B6604EDEA68706FB06A64373FBE7F1152608CD79046ACCA521E6C1E016937CB43125501C550FB86B797213F1352C1B51D76AA8248628CD58B785E8E323C23BB77FDE1C131729D89B8D3C525FE92E7A20BCF6B61DECD2BD9E07250907A19C77C5281F16B9A642C68E5C4E458C3F9EA0EF2BCD3CB4E4017AF03FD789B9683C0486D21062BBA31766B6A984F4833F8020"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\CmgShieldNP.dll
c:\windows\system32\ScCertProp.dll

- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\entrshel.dll
c:\windows\system32\entelres.dll
c:\windows\system32\etlog.dll
c:\windows\system32\ETCOMPS.dll
c:\windows\system32\etclires.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-25 20:30
ComboFix-quarantined-files.txt 2009-10-25 01:30
ComboFix2.txt 2009-10-25 00:06

Pre-Run: 13,391,929,344 bytes free
Post-Run: 13,369,282,560 bytes free

Current=3 Default=3 Failed=4 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 4CD2F1428F565C4DC577A05DC2DB310F

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:45 PM

Posted 25 October 2009 - 08:14 AM

Hi,

Did you set all these sites to the Trusted Zones?

Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com






Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
0187 
0b613 
0feB 
2e3D 
4659 
76815 
c8210 
d8914
d8dF
ec78 
f7211 
ff2C

File::
c:\windows\system32\0187.sys
c:\windows\system32\0b613.sys
c:\windows\system32\0feB.sys
c:\windows\system32\2e3D.sys
c:\windows\system32\4659.sys
c:\windows\system32\76815.sys
c:\windows\system32\c8210.sys
c:\windows\system32\d8914.sys
c:\windows\system32\d8dF.sys
c:\windows\system32\ec78.sys
c:\windows\system32\f7211.sys
c:\windows\system32\ff2C.sys

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.









Please post back with:
  • Combofix-Logfile
  • Fresh RSIT-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 hartley

hartley
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 25 October 2009 - 02:35 PM

Tom, thank you for helping me out. I appreciate your time.

Yes the trusted sites were added/allowed by me.


Combofix.txt below


ComboFix 09-10-24.01 - smansoor 10/25/2009 13:42.7.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.445 [GMT -5:00]
Running from: c:\documents and settings\smansoor\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\smansoor\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\windows\system32\0187.sys"
"c:\windows\system32\0b613.sys"
"c:\windows\system32\0feB.sys"
"c:\windows\system32\2e3D.sys"
"c:\windows\system32\4659.sys"
"c:\windows\system32\76815.sys"
"c:\windows\system32\c8210.sys"
"c:\windows\system32\d8914.sys"
"c:\windows\system32\d8dF.sys"
"c:\windows\system32\ec78.sys"
"c:\windows\system32\f7211.sys"
"c:\windows\system32\ff2C.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0187
-------\Legacy_0B613
-------\Legacy_0FEB
-------\Legacy_2E3D
-------\Legacy_4659
-------\Legacy_76815
-------\Legacy_C8210
-------\Legacy_D8914
-------\Legacy_D8DF
-------\Legacy_EC78
-------\Legacy_F7211
-------\Legacy_FF2C
-------\Service_0187
-------\Service_0b613
-------\Service_0feB
-------\Service_2e3D
-------\Service_4659
-------\Service_76815
-------\Service_c8210
-------\Service_d8914
-------\Service_d8dF
-------\Service_ec78
-------\Service_f7211
-------\Service_ff2C


((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 18:51 . 2009-10-25 18:51 53248 ----a-w- c:\temp\catchme.dll
2009-10-25 18:51 . 2009-10-25 18:51 -------- d-----w- c:\temp\WPDNSE
2009-10-25 02:43 . 2009-10-25 02:43 -------- d-----w- c:\temp\ExecLogs
2009-10-25 01:49 . 2009-10-25 18:46 -------- d-----w- c:\temp\MessengerCache
2009-10-24 23:17 . 2009-10-24 23:17 -------- d-----r- c:\documents and settings\smansoor\My Pictures
2009-10-24 22:11 . 2009-10-24 22:11 -------- d-----w- c:\temp\VBE
2009-10-24 21:58 . 2009-10-25 18:46 -------- d-----w- c:\temp\W2K
2009-10-24 21:58 . 2009-10-25 18:46 -------- d-----w- c:\temp\EPO
2009-10-24 21:50 . 2009-10-25 18:46 -------- d-----w- c:\temp\RADIA
2009-10-22 22:56 . 2009-10-23 06:16 -------- d-----w- c:\temp\hsperfdata_SMansoor
2009-10-17 18:17 . 2009-10-17 18:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-17 18:14 . 2009-10-17 18:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-10-17 18:13 . 2009-10-17 18:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-16 06:24 . 2009-10-16 06:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-13 16:52 . 2009-10-13 16:52 -------- d-----w- c:\documents and settings\smansoor\dwhelper
2009-10-12 18:02 . 2009-10-12 18:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-12 13:11 . 2009-10-12 13:11 -------- d-sh--w- c:\documents and settings\smansoor\PrivacIE
2009-10-12 13:05 . 2009-10-12 13:05 -------- d-sh--w- c:\documents and settings\smansoor\IETldCache
2009-10-12 12:54 . 2009-10-16 06:23 -------- d-----w- c:\windows\ie8updates
2009-10-12 12:50 . 2009-10-12 12:52 -------- dc-h--w- c:\windows\ie8
2009-10-12 12:48 . 2009-10-12 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-12 12:43 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-12 12:43 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-12 12:43 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-12 12:05 . 2009-10-12 12:05 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 12:05 . 2009-10-12 12:05 -------- d-----w- c:\documents and settings\smansoor\Local Settings\Application Data\Mozilla
2009-09-30 19:57 . 2009-09-30 19:58 -------- d-----w- C:\ERDNT
2009-09-29 18:13 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-29 18:13 . 2008-04-14 10:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-29 18:13 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-29 18:13 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-29 18:13 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-29 18:13 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-29 18:13 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-09-29 18:13 . 2008-04-14 03:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-09-29 18:11 . 2001-08-17 18:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2009-09-29 18:10 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2009-09-29 18:09 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-09-29 18:08 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-09-29 18:07 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2009-09-29 18:06 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2009-09-29 18:05 . 2001-08-18 03:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2009-09-29 18:04 . 2001-08-17 18:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys
2009-09-29 18:03 . 2008-04-14 10:40 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2009-09-29 18:02 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-09-29 18:01 . 2001-08-17 18:49 15872 -c--a-w- c:\windows\system32\dllcache\ne2000.sys
2009-09-29 18:00 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-09-29 17:59 . 2008-04-14 03:09 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2009-09-29 17:58 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-29 17:57 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-09-29 17:56 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2009-09-29 17:55 . 2008-04-14 05:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2009-09-29 17:54 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2009-09-29 17:53 . 2001-08-17 17:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 17:52 . 2001-08-17 18:52 14720 -c--a-w- c:\windows\system32\dllcache\dac960nt.sys
2009-09-29 17:51 . 2001-08-17 17:13 164923 -c--a-w- c:\windows\system32\dllcache\diapi2.sys
2009-09-29 17:50 . 2001-08-17 19:56 137216 -c--a-w- c:\windows\system32\dllcache\atidrae.dll
2009-09-28 20:03 . 2009-10-22 15:15 -------- d-----w- c:\documents and settings\smansoor\Application Data\vlc
2009-09-28 18:49 . 2009-09-28 18:49 -------- d-----w- c:\program files\WinPcap
2009-09-28 18:48 . 2009-09-28 18:48 -------- d-----w- c:\program files\Sector69
2009-09-27 19:44 . 2008-04-14 10:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-27 19:44 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-27 18:03 . 2009-09-27 18:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-27 17:49 . 2009-06-19 20:37 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-27 16:06 . 2009-09-28 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 17:43 . 2009-05-27 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Credant
2009-10-25 05:59 . 2007-05-07 16:23 -------- d-----w- c:\program files\Novadigm
2009-10-24 21:56 . 2007-05-07 21:10 -------- d-----w- c:\program files\Connected
2009-10-22 15:16 . 2009-01-16 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 18:01 . 2007-06-11 15:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-17 13:56 . 2009-08-23 20:53 -------- d-----w- c:\documents and settings\smansoor\Application Data\IObit
2009-10-08 22:09 . 2007-12-26 18:23 420 ----a-w- c:\windows\License.Dat
2009-10-02 01:29 . 2007-05-07 15:54 -------- d-----w- c:\program files\microsoft frontpage
2009-09-30 23:52 . 2007-08-01 00:48 46416 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 18:36 . 2007-05-07 16:24 46416 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 01:45 . 2009-01-09 23:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-27 00:10 . 2009-07-06 00:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-22 14:01 . 2008-09-03 20:56 -------- d-----w- c:\program files\Microsoft
2009-09-22 14:01 . 2009-09-22 14:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-22 14:00 . 2008-02-27 20:03 -------- d-----w- c:\program files\Windows Live
2009-09-22 13:57 . 2009-09-22 13:57 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-22 01:35 . 2009-02-27 20:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 19:54 . 2009-06-21 17:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-21 17:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-09 15:58 . 2009-08-09 15:58 116448 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:35 . 2009-08-04 13:35 61224 ----a-w- c:\documents and settings\smansoor\GoToAssistDownloadHelper.exe
2009-08-01 14:39 . 2009-08-01 14:39 22016 ----a-w- c:\windows\system32\AdobePDF.dll
2008-10-13 13:45 . 2008-09-08 18:54 88 --sh--r- c:\windows\system32\087FC146C5.sys
2008-10-13 13:45 . 2008-09-08 18:40 3818 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_00.04.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 18:50 . 2009-10-25 18:50 16384 c:\windows\temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Advanced SystemCare 3"="d:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"RUNRADTRAY"="c:\progra~1\Novadigm\radtray.exe" [2008-01-04 241844]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5730144]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"EXCEEDLOGS"="RemoveExceedLogs.exe" - d:\program files\Schlumberger\MAXIS\16C0-147\BIN\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"="EmsServiceHelper.exe" - c:\windows\system32\EMSServiceHelper.exe [2009-04-08 1967464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Connected TaskBar Icon.LNK - c:\program files\Connected\CBSysTray.exe [2007-11-2 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-04 13:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 00:44 34304 ----a-w- c:\windows\system32\ScCertProp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 18:18 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 15:13 161128 ----a-w- c:\windows\system32\CmgShieldNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autochk

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\0\0]
"Script"=changeprofile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\1\0]
"Script"=RadiaVeriClean_040309.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\2\0]
"Script"=remove-aodc.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK
backup=c:\windows\pss\Connected TaskBar Icon.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
path=
backup=c:\windows\pss\Log Printer Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2 (0x2)
"PD91Engine"=3 (0x3)
"PD91Agent"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\RadUIShell.exe"= c:\\Program Files\\Novadigm\\raduishell.exe
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\Connected\\COBackup.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"d:\\Program Files\\FTL\\FTL.exe"=
"d:\\Program Files\\FTL\\FTLAgent.Net.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtProc1.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\ECCenter1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52311:UDP"= 52311:UDP:BES Client
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/8/2009 10:14 404592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/27/2009 12:49 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/27/2009 12:49 46864]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [4/30/2008 14:54 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/8/2009 10:11 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 10:08 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [5/7/2007 17:19 52432]
R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [2/20/2007 13:59 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [6/5/2009 18:05 172210]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [2/17/2009 14:15 315570]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [5/7/2007 17:30 109312]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [3/1/2005 5:43 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [3/1/2005 5:43 10752]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 ThreatFire;ThreatFire;d:\program files\ThreatFire\TFService.exe service --> d:\program files\ThreatFire\TFService.exe service [?]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 10:13 161128]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [1/10/2005 13:49 10240]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 15:22 34064]
S3 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 13:12 693512]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 13:12 910600]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [4/14/2001 0:22 22474]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/27/2009 12:49 33552]
S4 PD9Engine;PD9Engine;c:\program files\Raxco\PerfectDiskRx\PD9Engine.exe [6/18/2007 14:11 689680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-25 c:\windows\Tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hub.slb.com
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - d:\program files\PRMT78\PRMTIE\prmtie5.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - d:\program files\PRMT78\PRMTIE\options.htm
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hub.slb.com/
FF - plugin: c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 13:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="14A2AC740BE21EA588D2C33DFD3946F9C5831E008DAA9FC45636D314C5D8E9D2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67948EDD5E5BE2F6E667A9C6AECB7A5D14079C0D6B16936BD8BCA4B07FB9E04F642258608F183BE2ACFB88AFE266F7CF3C9507F00943BB9B171B1B753245D4ABB8AFB6534B1C5755D31288BF6DBB1983F0D3D6FD231E72E45620A754F48CD1B24092C41BC906A482E49D82D39927862656FEDFD6ED294A21A0CA6E0A30F5CAA84A7B13AE4B3D92B79720923A1C2FCDB0A60B6AC2322E9092D49E8276E12669B6FA2022A6A0E9C726729F4666391CB07EEDEDB3AECAB442DC2624EC9E1A0C076ACAB76942B1781B6653A5A0EDCE7EA44D90226A2A2A8F92891AE5AC2C80D6B3B58400D1E2771B9AF16ABF988CCB27D2C142A6B369D24F68838C74B0ECCB7AB2EDC839390E80C585A6BB7E1A2232AC1AE38D7DA6435DCB5D9C2D62DE4FCB30FCCB8AA7F1EDEF3350C7227904AF1AE88A9DCF2E4FB4F6204087FB48116ADF73BCED9214C2D07BDE247BC8C928DD2F7AE9BFBB422E5EDDAC155ED24292757C83D2547BCCE4296C8BDDCB310C4FF5304232FCD54937816992109BDA6E25CEADE450E5369F068A23BC8DA8AFE2B3686F6811EB7955D1087FBA1D2212F07EF58FE1806A84E349B1103DF7E1EDF483C7D555E689D2FEDA7E9CCE5A35CCF2C6915203DA10016F447A3A1A94AFE669E3C85F38CA3464DD2292523F9A7CB19D1BE93C1C916815A180E73B23112CEDEEE8C9190385AF8412EB1A44BDE3853BA38DEAA63E076903D97D9EC26E4E55A5B7A0C726EB14A3DA3FEE8CA943F0BFB6B422267EC3536A5C7C2B6A12545F0E87F98765C0EB289A688A5984D08AB000498CD1D0C4C7C1AB88F2F03880730E1C5F6D13EA31C328057C1FC943181145FE69E409430F2AD1CCC5A9A899762BD6AA505128C1D8722D35BDACD3AC741C8558607CAA7A888F3752A11120C4F322E8484D66A379A941056326E30048ED31FA8DCC198A976AE05828811E191389412A65A073D1462B38302C02FB4B42A21D65822480725F89C8D21A1CC8C983DFB432DA65C1F87CF725E40CF530A4E940ECB7FE2A001EBBC939F5597D8EDC38AEEE4F620C9DCE18C11C8DE7F4BFF0330D7517AF7CE43FB724E3C27C0570EF7546A300995B59FD394972C5084AEB87B6604EDEA68706FB06A64373FBE7F1152608CD79046ACCA521E6C1E016937CB43125501C550FB86B797213F1352C1B51D76AA8248628CD58B785E8E323C23BB77FDE1C131729D89B8D3C525FE92E7A20BCF6B61DECD2BD9E07250907A19C77C5281F16B9A642C68E5C4E458C3F9EA0EF2BCD3CB4E4017AF03FD789B9683C0486D21062BBA31766B6A984F4833F8020"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\CmgShieldNP.dll
c:\windows\system32\ScCertProp.dll

- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\entrshel.dll
c:\windows\system32\entelres.dll
c:\windows\system32\etlog.dll
c:\windows\system32\ETCOMPS.dll
c:\windows\system32\etclires.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Connected\AgentSrv.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\BigFix Enterprise\BES Client\BESClient.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\oracle\ora10\bin\omtsreco.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\StacSV.exe
c:\program files\Timbuktu Pro\tb2launch.exe
c:\program files\Timbuktu Pro\TimbuktuRemoteConsole.exe
c:\schrauber\CF31687.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\schrauber\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 13:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 18:54
ComboFix2.txt 2009-10-25 01:30
ComboFix3.txt 2009-10-25 00:06

Pre-Run: 13,065,711,616 bytes free
Post-Run: 12,872,343,552 bytes free

Current=3 Default=3 Failed=4 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 5199D007014ADB49FD6062FD6DBE1EC1




RSIT log file below




Logfile of random's system information tool 1.06 (written by random/random)
Run by smansoor at 2009-10-25 14:21:12
Microsoft Windows XP Professional Service Pack 3
System drive C: has 12 GB (40%) free of 31 GB
Total RAM: 1022 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:40 PM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
c:\PROGRA~1\Novadigm\radexecd.exe
c:\PROGRA~1\Novadigm\radsched.exe
c:\PROGRA~1\Novadigm\Radstgms.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Connected\CBSysTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Documents and Settings\smansoor\Desktop\RSIT.exe
C:\Program Files\trend micro\smansoor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - D:\Program Files\PRMT78\PRMTIE\prmtie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CMGShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RUNRADTRAY] c:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = lam.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = lam.slb.com
O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: CMG Shield (CMGShield) - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - c:\PROGRA~1\Novadigm\Radstgms.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: ThreatFire - Unknown owner - d:\Program Files\ThreatFire\TFService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13366 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll [2009-08-01 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78104A01-8E71-4F30-9A36-3793799615B4}]
ViewerHelper Class - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll [2005-01-27 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-07-16 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{FF284F5C-7CF9-4682-8701-D467C1DBB99F} - Translator - D:\Program Files\PRMT78\PRMTIE\prmtie.dll [2007-06-15 454656]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"=C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-07-16 111952]
"RUNRADTRAY"=c:\PROGRA~1\Novadigm\radtray.exe [2008-01-04 241844]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\udaterui.exe [2008-11-10 136512]
"EXCEEDLOGS"=d:\Program Files\Schlumberger\MAXIS\16C0-147\bin\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"=C:\WINDOWS\system32\EmsServiceHelper.exe [2009-04-08 1967464]
"Communicator"=C:\Program Files\Microsoft Office Communicator\communicator.exe [2008-12-16 5730144]
"Malwarebytes Anti-Malware (reboot)"=D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"Advanced SystemCare 3"=D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
c:\Program Files\Adobe\Distillr\Acrotray.exe [2009-08-01 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe [2007-10-09 2183168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmgShieldUI]
C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskMonitor]
C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe [2007-09-11 65583]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Connected Agent]
D:\Program Files\FTL\FTLAgent.Net.exe [2009-09-22 350024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Email Agent]
D:\Program Files\FTL\FTLAgent.exe [2008-07-31 194192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i-Handbook]
D:\Program Files\Schlumberger\i-Handbook.exe [2008-02-22 9688064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [2007-07-31 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
D:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2007-04-28 8429568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
nvHotkey.dll,Start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2007-04-28 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PerfectDiskRx]
C:\Program Files\Raxco\PerfectDiskRx\PerfectDiskRx.exe [2008-10-13 6030864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
C:\WINDOWS\stsystra.exe [2007-02-19 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
C:\Program Files\Timbuktu Pro\minitb2.exe [2006-10-24 1028096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
c:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-08-01 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
C:\PROGRA~1\Toshiba\BLUETO~1\TosBtMng.exe [2007-07-30 2158592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
C:\PROGRA~1\CONNEC~1\CBSYST~1.EXE [2008-02-27 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
C:\PROGRA~1\COMMON~1\SCHLUM~2\LOGPRI~1.EXE [2007-09-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2
"PD91Engine"=3
"PD91Agent"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CMGShieldNP]
C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2009-08-04 10536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\slbScCertProp]
C:\WINDOWS\system32\ScCertProp.dll [2003-12-19 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Timbuktu Pro]
C:\Program Files\Timbuktu Pro\Hook32.dll [2006-10-24 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\CMGShield]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=NOTICE TO ALL USERS
"legalnoticetext"=Use is restricted to Schlumberger authorized users who must comply with company policies, including but not limited to the Schlumberger Information Security User Standard. Usage is monitored, unauthorized use will be prosecuted. This system may not, under any circumstances, be taken into Cuba, Iran, North Korea, Sudan or Syria.
Refer to http://tradecompliance.slb.com for updates to the list of restricted countries and countries which, without prior authorization, prohibit the importation of encryption software present in this installation. These materials are licensed to or copyright © Schlumberger and/or its affiliates. All rights reserved. There may be a charge for the use or copying of these materials.
By accessing these materials you agree to pay any such fee and comply with all terms and conditions for their use.
"SynchronousMachineGroupPolicy"=0
"SynchronousUserGroupPolicy"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"HonorAutorunSetting"=1
"ForceStartMenuLogOff"=1
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutorunSetting"=
"NoDriveAutoRun"=
"NoDrives"=
"NoResolveSearch"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Novadigm\RadUIShell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe:*:Enabled:Bluetooth Information Exchanger"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe:*:Enabled:Bluetooth Settings"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Novadigm\raduishell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass.exe"
"D:\ExceedNT\exceed.exe"="D:\ExceedNT\exceed.exe:*:Enabled:Exceed for Windows NT"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"D:\Program Files\QuoteTracker\stocks.exe"="D:\Program Files\QuoteTracker\stocks.exe:*:Enabled:QuoteTracker"
"D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe"="D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe:*:Enabled:MbtNav.exe"
"D:\Program Files\VideoLAN\VLC\vlc.exe"="D:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe:*:Enabled:MAXIS© Application"
"D:\Program Files\FileZilla\FileZilla.exe"="D:\Program Files\FileZilla\FileZilla.exe:*:Enabled:FileZilla"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe:*:Enabled:MAXIS© Application"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Novadigm\IntegrationServer\nvdkit.exe"="C:\Novadigm\IntegrationServer\nvdkit.exe:*:enabled:Radia Integration Server"
"C:\Novadigm\ManagementAgent\nvdkit.exe"="C:\Novadigm\ManagementAgent\nvdkit.exe:*:enabled:Radia Management Agent"
"C:\Novadigm\MessagingServer\nvdkit.exe"="C:\Novadigm\MessagingServer\nvdkit.exe:*:enabled:Radia Messaging Server"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:SecureClient Application"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe:*:Enabled:javaw"
"C:\Program Files\OpenSpirit\external\Jre\bin\java.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\java.exe:*:Enabled:java"
"C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe"="C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe:*:Enabled:Petrel 2005: Geological 3D Visualization and Modeling"
"C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe"="C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe:*:Enabled:Petrel 2004: Geological 3D Visualization and Modeling"
"C:\Program Files\FTL\FTL.exe"="C:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"C:\Program Files\FTL\FTLAgent.Net.exe"="C:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:SR_Service.exe"
"C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe"="C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe:*:Enabled:eXceed 7.0"
"C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe:*:Enabled:eXceed 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Communicator"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"

======List of files/folders created in the last 1 months======

2009-10-25 14:21:13 ----D---- C:\Program Files\trend micro
2009-10-25 14:21:12 ----D---- C:\rsit
2009-10-25 13:54:40 ----A---- C:\ComboFix.txt
2009-10-25 13:47:19 ----D---- C:\WINDOWS\temp
2009-10-25 00:53:08 ----D---- C:\WINDOWS\SoftwareDistribution
2009-10-24 19:06:38 ----A---- C:\log.txt
2009-10-24 18:56:11 ----A---- C:\WINDOWS\zip.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWSC.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWREG.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\sed.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\PEV.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\NIRCMD.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\grep.exe
2009-10-24 18:54:35 ----D---- C:\Qoobox
2009-10-12 07:54:27 ----D---- C:\WINDOWS\ie8updates
2009-10-12 07:50:59 ----HDC---- C:\WINDOWS\ie8
2009-10-12 07:48:58 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-10-12 07:05:17 ----D---- C:\Documents and Settings\smansoor\Application Data\Mozilla
2009-10-01 15:23:59 ----RASHD---- C:\cmdcons
2009-10-01 15:23:24 ----D---- C:\WINDOWS\setupupd
2009-10-01 07:35:14 ----A---- C:\RootRepeal report 10-01-09 (07-35-14).txt
2009-09-30 14:57:45 ----D---- C:\ERDNT
2009-09-30 13:22:36 ----D---- C:\RECYCLER
2009-09-28 15:03:29 ----D---- C:\Documents and Settings\smansoor\Application Data\vlc
2009-09-28 13:49:02 ----D---- C:\Program Files\WinPcap
2009-09-28 13:48:43 ----D---- C:\Program Files\Sector69
2009-09-27 14:44:14 ----A---- C:\WINDOWS\system32\proquota.exe
2009-09-27 14:21:46 ----D---- C:\WINDOWS\ERDNT
2009-09-27 14:08:30 ----RASH---- C:\BOOT.BAK
2009-09-27 14:08:09 ----A---- C:\WINDOWS\UPGRADE.TXT
2009-09-27 14:08:04 ----D---- C:\WINDOWS\setup.pss
2009-09-27 13:03:02 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-09-27 11:59:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-27 11:06:51 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools

======List of files/folders modified in the last 1 months======

2009-10-25 14:21:26 ----D---- C:\TEMP
2009-10-25 14:21:13 ----D---- C:\Program Files
2009-10-25 14:19:29 ----D---- C:\WINDOWS\Prefetch
2009-10-25 13:56:08 ----D---- C:\WINDOWS\system32\drivers
2009-10-25 13:52:54 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-25 13:52:12 ----D---- C:\WINDOWS
2009-10-25 13:51:45 ----A---- C:\WINDOWS\system.ini
2009-10-25 13:48:26 ----D---- C:\WINDOWS\system32\config
2009-10-25 13:45:03 ----D---- C:\WINDOWS\system32
2009-10-25 13:45:03 ----D---- C:\WINDOWS\AppPatch
2009-10-25 13:44:59 ----D---- C:\Program Files\Common Files
2009-10-25 13:27:40 ----D---- C:\WINDOWS\Lhsp
2009-10-25 12:43:05 ----D---- C:\Documents and Settings\All Users\Application Data\Credant
2009-10-25 10:48:32 ----D---- C:\WINDOWS\security
2009-10-25 00:59:43 ----D---- C:\Program Files\Novadigm
2009-10-24 18:15:11 ----HD---- C:\WINDOWS\inf
2009-10-24 16:56:45 ----D---- C:\Program Files\Connected
2009-10-22 10:16:56 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-18 12:05:18 ----A---- C:\WINDOWS\PDSView.INI
2009-10-17 13:27:17 ----SHD---- C:\WINDOWS\CSC
2009-10-17 08:56:10 ----D---- C:\Documents and Settings\smansoor\Application Data\IObit
2009-10-16 07:19:57 ----D---- C:\Config.Msi
2009-10-16 01:41:48 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-16 01:41:38 ----RSD---- C:\WINDOWS\assembly
2009-10-16 01:29:49 ----SHD---- C:\WINDOWS\Installer
2009-10-16 01:29:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-16 01:28:30 ----D---- C:\WINDOWS\WinSxS
2009-10-16 01:23:51 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-16 01:23:49 ----D---- C:\Program Files\Internet Explorer
2009-10-16 01:23:33 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-14 09:39:32 ----A---- C:\WINDOWS\welltest.INI
2009-10-13 07:22:46 ----D---- C:\WINDOWS\Debug
2009-10-12 08:04:27 ----D---- C:\WINDOWS\system32\en-US
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Media
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Help
2009-10-10 15:24:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-03 16:23:53 ----SHD---- C:\System Volume Information
2009-10-03 16:23:53 ----D---- C:\WINDOWS\system32\Restore
2009-10-01 20:29:21 ----D---- C:\WINDOWS\msapps
2009-10-01 20:29:21 ----D---- C:\Program Files\microsoft frontpage
2009-10-01 20:29:21 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-01 20:29:20 ----D---- C:\WINDOWS\system
2009-10-01 15:32:50 ----RASH---- C:\boot.ini
2009-09-30 14:37:18 ----D---- C:\WINDOWS\system32\wbem
2009-09-30 13:39:57 ----AC---- C:\WINDOWS\ODBC.INI
2009-09-30 13:39:38 ----A---- C:\WINDOWS\win.ini
2009-09-30 13:31:00 ----SD---- C:\WINDOWS\Tasks
2009-09-30 12:49:41 ----RSD---- C:\WINDOWS\Fonts
2009-09-30 12:49:30 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-09-28 07:01:43 ----D---- C:\WINDOWS\Minidump
2009-09-27 20:45:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-09-27 19:18:23 ----D---- C:\Quarantine
2009-09-27 11:52:12 ----A---- C:\WINDOWS\wininit.ini
2009-09-26 19:55:46 ----D---- C:\WINDOWS\network diagnostic
2009-09-26 19:10:45 ----D---- C:\Program Files\Microsoft Silverlight

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-07-16 52104]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_13073.SYS []
R1 Tb2Device;TB2 Remote Control Driver; C:\WINDOWS\NetopiaRC\Tb2Device.sys [2006-08-23 7244]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver; C:\WINDOWS\NetopiaRC\Tb2MirrorSys.sys [2006-08-23 15439]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 Tosrfcom;Bluetooth RFCOMM; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2007-05-24 64000]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter; C:\WINDOWS\system32\drivers\bcmwlnpf.sys [2007-10-09 33664]
R2 DefragFS;DefragFS; C:\WINDOWS\system32\drivers\DefragFS.sys [2008-08-28 71184]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 ETFSDNT;Entrust File System Hook; \??\C:\WINDOWS\system32\etfsdrv.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 vddidecr;Digital Delivery Decrypting Device; C:\WINDOWS\system32\drivers\vddidecr.sys [2005-08-18 109312]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-03-13 160256]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-10-09 1123328]
R3 catchme;catchme; \??\C:\schrauber\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2008-04-30 23552]
R3 Egatebus;Egatebus; C:\WINDOWS\system32\drivers\egatebus.sys [2005-03-01 11264]
R3 Egaterdr;Egaterdr; C:\WINDOWS\system32\drivers\egaterdr.sys [2005-03-01 10752]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 guardian2;guardian2; C:\WINDOWS\System32\Drivers\oz776.sys [2007-02-23 56576]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-11-02 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-11-02 209152]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-07-16 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-07-16 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-07-16 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-07-16 174952]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-04-28 6727136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-02-19 1228296]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-10-18 38288]
R3 tosporte;Bluetooth COM Port; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2006-10-10 41600]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-14 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-11-02 730112]
S2 R72_NT4;R72_NT4; C:\WINDOWS\system32\drivers\R72_NT4.sys []
S2 R72V2NT4;R72V2NT4; C:\WINDOWS\system32\drivers\R72V2NT4.sys []
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-14 48128]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-14 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 CmgShieldNP;CmgShieldNP; C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-14 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 ptiusbf;PTI USB Filter; C:\WINDOWS\SYSTEM32\DRIVERS\PTIUSBF.SYS [2001-04-14 22474]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 tosrfbd;Bluetooth RFBUS; C:\WINDOWS\system32\DRIVERS\tosrfbd.sys [2007-04-24 113920]
S3 tosrfbnp;Bluetooth RFBNEP; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2006-11-20 36480]
S3 Tosrfhid;Bluetooth RFHID; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2007-03-01 73728]
S3 tosrfnds;Bluetooth Personal Area Network; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612]
S3 tosrfusb;Bluetooth USB Controller; C:\WINDOWS\system32\DRIVERS\tosrfusb.sys [2007-04-10 41856]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2005-05-13 28672]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgentSrv;Connected Agent Service; C:\Program Files\Connected\AgentSrv.EXE [2008-02-27 258048]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BESClient;BES Client; C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe [2009-01-22 2329672]
R2 CMGShield;CMG Shield; C:\WINDOWS\system32\CmgShieldSvc.exe [2009-04-08 2057576]
R2 dsNcService;Juniper Network Connect Service; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [2008-04-30 423280]
R2 EMS;EMS; C:\WINDOWS\system32\EMSService.exe [2009-04-08 709992]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2008-07-16 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2008-07-16 54608]
R2 OracleMTSRecoveryService;OracleMTSRecoveryService; C:\oracle\ora10\bin\omtsreco.exe [2005-08-15 57616]
R2 radexecd;HP OVCM Notify Daemon; c:\PROGRA~1\Novadigm\radexecd.exe [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon; c:\PROGRA~1\Novadigm\radsched.exe [2009-06-05 172210]
R2 Radstgms;HP OVCM MSI Redirector; c:\PROGRA~1\Novadigm\Radstgms.exe [2009-02-17 315570]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\StacSV.exe [2007-02-19 90112]
R2 Tb2Launch;Tb2 Launch; C:\Program Files\Timbuktu Pro\tb2launch.exe [2006-10-24 126976]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-10-09 24064]
S2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S2 ThreatFire;ThreatFire; d:\Program Files\ThreatFire\TFService.exe service []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 ETDSVC;Entrust/TrueDelete™; C:\WINDOWS\system32\etdsvc.exe [2004-10-14 10240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-31 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-08-04 16680]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Peer Networking; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PD91Agent;PD91Agent; C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-12-31 693512]
S3 PD91Engine;PD91Engine; C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-12-31 910600]
S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S4 ELIService;Entrust Login Interface; C:\WINDOWS\etlisrv.exe [2004-03-25 28731]
S4 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-04-28 163908]
S4 PD9Engine;PD9Engine; C:\Program Files\Raxco\PerfectDiskRx\PD9Engine.exe [2007-06-18 689680]
S4 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]

-----------------EOF-----------------






info.txt file below


info.txt logfile of random's system information tool 1.06 2009-10-25 14:21:46

======Uninstall list======

@promt Personal 7.8 ESSE-->MsiExec.exe /I{5802C528-A318-449E-8C7A-B638082FB1C7}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-100000000002}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 ActiveX-->MsiExec.exe /X{922E8525-AC7E-4294-ACAA-43712D4423C0}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Setup-->MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Advanced SystemCare 3-->"d:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
Any Video Converter 2.6.3-->"C:\Program Files\Any Video Converter\unins000.exe"
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
BigFix Enterprise Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF7023BC-319B-4FE1-B569-C854A19F81F8}\Setup.exe" -l0x9 -removeonly
Bluetooth Stack for Windows by Toshiba-->MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Broadcom Gigabit Integrated Controller-->MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CCleaner (remove only)-->"D:\Program Files\CCleaner\uninst.exe"
Citrix Presentation Server Client-->MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
Connected DataProtector-->C:\Program Files\Connected\CBUninst.exe
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"d:\Program Files\DVD Shrink\unins000.exe"
Entrust Desktop Solutions-->C:\WINDOWS\etuninst.exe
Eudora-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0D39ACBA-8121-4097-83A6-6CFEE9382E6A}\setup.exe" -l0x9
Exceed 5.1.3 for MAXIS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A884A1B-E579-4AA2-BB05-783256E0D088}\Setup.exe" -uninst
ffdshow [rev 610] [2006-12-01]-->"d:\Program Files\ffdshow\unins000.exe"
Field Ticket Light-->MsiExec.exe /I{588AF5A1-1FEC-4700-9D0B-4CD36C6AD0FD}
FileZilla (remove only)-->"d:\Program Files\FileZilla\uninstall.exe"
Garmin Communicator Plugin-->MsiExec.exe /X{F6970FBD-809A-4C51-BAB3-D94A04C6C8E7}
Garmin MapSource-->MsiExec.exe /X{D678209B-B921-4A30-8A41-70A4A29F22CD}
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
HandBrake 0.9.3-->d:\Program Files\Handbrake\uninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB945282)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946040)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946308)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946344)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946581)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947540)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947789)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB951708)-->C:\WINDOWS\system32\msiexec.exe /package {C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Office (KB950278)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {FED55BA1-5A70-44B4-8EB1-E72274AED780}
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
HP OpenView Configuration Management Agent-->MsiExec.exe /X{EE20BC23-49BE-430D-9866-ABB01D81A407}
HzLGSDK-->MsiExec.exe /I{D69AA402-7F45-4DB0-AC19-4FE9E4A40305}
i-Handbook-->D:\Program Files\Schlumberger\i-Handbook.exe /uninstall
IrfanView (remove only)-->d:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Juniper Networks Network Connect 6.0.0-->"C:\Program Files\Juniper Networks\Network Connect 6.0.0\uninstall.exe"
Juniper Networks Secure Application Manager-->C:\Program Files\Juniper Networks\Secure Application Manager\UninstallSAM.exe
L&H TTS3000 Español-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSSPE.inf, Uninstall
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Malwarebytes' Anti-Malware-->"d:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map of South America-->MsiExec.exe /X{BB7C0C8E-CF0B-44C5-B838-9ED93D15DBDF}
MAXIS Appkits in Area A for 16C0-147-->"d:\Program Files\Schlumberger\MAXIS\OP92_AppkitUninstaller.exe" 16C0-147 PrimaryAPPKITS
MAXIS Installation for 16C0-147-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{828CD50F-BFAF-4D5A-B585-BA2DDBFFFF9D}\setup.exe"
MAXIS OP15 WRM-->MsiExec.exe /X{0DE605CA-080C-4014-AD6A-4973DC7EBDE8}
MAXIS OP16 WRM-->MsiExec.exe /X{8B4E721C-91C9-4C86-AEBF-9C39A50A5ACA}
MBT Navigator-->D:\PROGRA~1\MBTRAD~1\MBTNAV~1\UNWISE.EXE D:\PROGRA~1\MBTRAD~1\MBTNAV~1\INSTALL.LOG
McAfee Agent-->MsiExec.exe /X{36FE3EDA-0C18-48DE-934B-D9862F82A7A8}
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft ASP.NET MVC 1.0-->MsiExec.exe /X{A4394612-D02F-11DC-9BFF-D18556D89593}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Conferencing Add-in for Microsoft Office Outlook-->MsiExec.exe /I{9FEAC0B9-289F-4BB8-A5FA-7A5D20D794C7}
Microsoft Office Access 2003 Runtime-->MsiExec.exe /I{901C0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access 2003-->MsiExec.exe /I{90150409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access Runtime (English) 2007-->MsiExec.exe /X{90120000-001C-0409-0000-0000000FF1CE}
Microsoft Office Communicator 2007-->MsiExec.exe /X{E5BA0430-919F-46DD-B656-0796F8A5ADFF}
Microsoft Office Live Meeting 2007-->MsiExec.exe /I{6E4D4E0B-02F6-46C1-BAE5-1B6B2E486A7B}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visual Web Developer 2007-->MsiExec.exe /X{90120000-0021-0000-0000-0000000FF1CE}
Microsoft Office Visual Web Developer MUI (English) 2007-->MsiExec.exe /X{90120000-0021-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2008 Management Objects-->MsiExec.exe /I{F5E87B12-3C27-452F-8E78-21D42164FD83}
Microsoft SQL Server Database Publishing Wizard 1.3-->MsiExec.exe /I{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}
Microsoft Visual Studio Web Authoring Component-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISUALWEBDEVELOPER /dll OSETUP.DLL
Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU-->D:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU\setup.exe
Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU-->MsiExec.exe /X{C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA}
Microsoft Web Platform Installer 2.0 RC-->MsiExec.exe /X{26119A24-8F74-4F62-A278-AB3984B12C04}
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Web - enu-->MsiExec.exe /X{15EFEBF6-E414-33EB-8710-A04AD1302BF8}
Motorola Driver Installation-->MsiExec.exe /I{75A0EB9D-2D1E-4FB7-BF61-498E33C73EB4}
Motorola Phone Tools-->C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe -runfromtemp -l0x0009 -removeonly
Mozilla Firefox (3.5.3)-->d:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oracle Data Provider for .NET Help-->MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PDF Splitter and Merger 3.0-->"C:\Program Files\VERTX Systems\PDF Splitter and Merger\un_PDF Splitter and Merger3.0_27276.exe"
PDFCreator-->MsiExec.exe /I{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}
PE Builder 3.1.10a-->"d:\pebuilder3110a\unins000.exe"
Perception Secure Browser-->C:\WINDOWS\uninst.exe -f"d:\Program Files\Perception\DeIsL1.isu" -c"d:\Program Files\Perception\_ISREG32.DLL"
PerfectDisk 2008 Professional-->MsiExec.exe /I{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}
PerfectDisk Rx Suite-->MsiExec.exe /I{7C32D736-DDF5-400B-BEB1-479B083CC114}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\setup.exe" -l0x9 -cluninstall
Prism Video Converter-->C:\Program Files\NCH Software\Prism\uninst.exe
Pulse--> -f"d:\Program Files\Canada Tech\Pulse\DeIsL1.isu" -c"d:\Program Files\Canada Tech\Pulse\_ISREG32.DLL"
Questionmark Secure Browser-->C:\Program Files\InstallShield Installation Information\{4004E7A9-C6AF-4A1C-A4D9-FE63F163964C}\setup.exe -runfromtemp -l0x0409
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
QuoteTracker-->"d:\Program Files\QuoteTracker\unins000.exe"
Recuva (remove only)-->"d:\Program Files\Recuva\uninst.exe"
Registry Fix Pro-->C:\PROGRA~1\REGIST~1\UNWISE.EXE C:\PROGRA~1\REGIST~1\INSTALL.LOG
Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Rights Management Add-on for Internet Explorer-->MsiExec.exe /I{3505E1E2-8127-4681-A3EC-F9B5CAAA07C9}
Roxio DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sametime Client -->MsiExec.exe /X{72E0E269-0C06-48FA-A00C-D22256E0965B}
Schlumberger DeXa.Badge SCUK 4.4.4.1 Commercial-->MsiExec.exe /X{440CB343-185B-4A98-92B4-9F73334DD4F8}
Schlumberger PC Security-->C:\Program Files\BigFix Enterprise\SLB PCS\SLB PCS Remove.exe
Schlumberger PC Security-->MsiExec.exe /X{0C2A5307-121E-4B87-80D9-FCC0BFD87CAA}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SLB Classification-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A324A12-2FB7-4374-AF55-D124A79CEEFE}\setup.exe"
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SoniCalc-->C:\WINDOWS\IsUninst.exe -f"d:\Program Files\Schlumberger\SoniCalc\Uninst.isu"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SQL Server System CLR Types-->MsiExec.exe /I{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
System47 Screen Saver-->C:\WINDOWS\system32\System47.scr /u
Timbuktu Pro-->MsiExec.exe /X{9BDAAA54-EC75-4D09-86F2-D2E0F4E5CA24}
Time Zone Data Update Tool for Microsoft Office Outlook-->MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Tool Planner-->"d:\Program Files\Schlumberger\ToolPlanner_SLB\UninstallerData\Uninstall Tool Planner.exe"
TweakNow RegCleaner-->"d:\Program Files\TweakNow RegCleaner\unins001.exe"
Update for Microsoft Visual Studio Web Authoring Component (KB945140)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {F9DE79A2-9049-4589-9787-815147371581}
Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Visual FoxPro ODBC Driver-->MsiExec.exe /X{31821EFE-1B31-4744-9FB0-208F92BD7168}
VLC media player 1.0.2-->d:\Program Files\VideoLAN\VLC\uninstall.exe
WAVE 1.3-->C:\WINDOWS\IsUninst.exe -f"d:\Program Files\Schlumberger\WAVE 1.3\Uninst.isu"
WELLTEST-->C:\WINDOWS\IsUninst.exe -fd:\WELLTEST\Uninst.isu
Winamp-->"D:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player Enterprise Deployment-->MsiExec.exe /I{C2CDE75C-CA51-4335-9C13-84C00E6093A5}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
WinSCP 4.1.3 beta-->"C:\Program Files\WinSCP\unins000.exe"
WinZip-->"C:\PROGRA~1\WINZIP\WINZIP32.EXE" /uninstall
WRS4350-->MsiExec.exe /X{B50ABEEF-B997-4095-B298-2D3DAA127200}

======Security center information======

AV: McAfee VirusScan Enterprise

======System event log======

Computer Name: SMANSOOR-CO-PCE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service PD9Engine with arguments "-Service"
in order to run the server:
{B3779255-F6B9-4668-82D0-8822B7B6110C}

Record Number: 184679
Source Name: DCOM
Time Written: 20090413013545.000000-300
Event Type: error
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service PD9Engine with arguments "-Service"
in order to run the server:
{B3779255-F6B9-4668-82D0-8822B7B6110C}

Record Number: 184678
Source Name: DCOM
Time Written: 20090413013544.000000-300
Event Type: error
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service PD9Engine with arguments "-Service"
in order to run the server:
{B3779255-F6B9-4668-82D0-8822B7B6110C}

Record Number: 184677
Source Name: DCOM
Time Written: 20090413013543.000000-300
Event Type: error
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service PD9Engine with arguments "-Service"
in order to run the server:
{B3779255-F6B9-4668-82D0-8822B7B6110C}

Record Number: 184676
Source Name: DCOM
Time Written: 20090413013542.000000-300
Event Type: error
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service PD9Engine with arguments "-Service"
in order to run the server:
{B3779255-F6B9-4668-82D0-8822B7B6110C}

Record Number: 184675
Source Name: DCOM
Time Written: 20090413013540.000000-300
Event Type: error
User: LAM\smansoor

=====Application event log=====

Computer Name: SMANSOOR-CO-PCE
Event Code: 1001
Message: Detection of product '{7C32D736-DDF5-400B-BEB1-479B083CC114}', feature 'PerfectDiskRx' failed during request for component '{B2794C09-0241-4054-AF4B-964E88AFC920}'

Record Number: 1918715
Source Name: MsiInstaller
Time Written: 20090928091612.000000-300
Event Type: warning
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 1004
Message: Detection of product '{7C32D736-DDF5-400B-BEB1-479B083CC114}', feature 'PerfectDiskRx', component '{87B88B83-D405-464E-9739-C71F79BA8149}' failed. The resource 'HKEY_CURRENT_USER\Software\Raxco\PerfectDiskRx\1.0\' does not exist.

Record Number: 1918714
Source Name: MsiInstaller
Time Written: 20090928091612.000000-300
Event Type: warning
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 1001
Message: Detection of product '{7C32D736-DDF5-400B-BEB1-479B083CC114}', feature 'PerfectDiskRx' failed during request for component '{7AAD829C-CAF1-436B-909B-E2846BE88C3C}'

Record Number: 1918713
Source Name: MsiInstaller
Time Written: 20090928091611.000000-300
Event Type: warning
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 1004
Message: Detection of product '{7C32D736-DDF5-400B-BEB1-479B083CC114}', feature 'PerfectDiskRx', component '{87B88B83-D405-464E-9739-C71F79BA8149}' failed. The resource 'HKEY_CURRENT_USER\Software\Raxco\PerfectDiskRx\1.0\' does not exist.

Record Number: 1918712
Source Name: MsiInstaller
Time Written: 20090928091611.000000-300
Event Type: warning
User: LAM\smansoor

Computer Name: SMANSOOR-CO-PCE
Event Code: 1001
Message: Detection of product '{7C32D736-DDF5-400B-BEB1-479B083CC114}', feature 'PerfectDiskRx' failed during request for component '{7AAD829C-CAF1-436B-909B-E2846BE88C3C}'

Record Number: 1918711
Source Name: MsiInstaller
Time Written: 20090928091611.000000-300
Event Type: warning
User: LAM\smansoor

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;%OP_PATH%;C:\Program Files\Schlumberger\Smart Cards and Terminals\Cyberflex Access Kits\v4;D:\Program Files\MBTrading\MBT Navigator;%EXCEED_PATH%;C:\oracle\ora10\bin;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Credant\Shield v5.4.2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0f0b
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"MODEL"=Dx30
"X_DETECTEDMODEL"=D630
"X_LOB"=Latitude
"TYPE"=Notebook
"DRVDIR"=C:\DRV
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"EXCEED_PATH"=D:\ExceedNT
"OP_PATH"=d:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin;d:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\lib;d:\Program Files\Schlumberger\MAXIS\16C0-147\bin;d:\Program Files\Schlumberger\MAXIS\16C0-147\lib;
"JAVA_PLUGIN_WEBCONTROL_ENABLE"=1
"LogPrint"=%SystemRoot%\System32\spool\LogPrinters
"UTL_USE_ETC"=1
"OMNIWORKS_PATH"=d:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS;d:\Program Files\Schlumberger\MAXIS\16C0-147
"LOGGING"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection

-----------------EOF-----------------

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:45 PM

Posted 25 October 2009 - 04:01 PM

Hi,



Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\drivers\svchost.exe"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\drivers\svchost.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.








Step 2

Please update your version of Malwarebytes and run a quick scan, post back with the content of the logfile.






Step 3

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.








Step 4

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt







Please post back with:
  • Combofix-Logfile
  • Malwarebytes-Logfile
  • ESET-Logfile
  • Fresh RSIT-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 hartley

hartley
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 26 October 2009 - 07:04 AM

Hello Tom, Mcafee was showing disabled but it was not. ESET found 0 threats. There was no option to write a log file for ESET. Java has bee updated.


ComboFix 09-10-24.01 - smansoor 10/25/2009 20:26.8.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.695 [GMT -5:00]
Running from: c:\documents and settings\smansoor\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\smansoor\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 01:32 . 2009-10-26 01:32 53248 ----a-w- c:\temp\catchme.dll
2009-10-26 01:27 . 2009-10-26 01:27 -------- d-----w- c:\temp\WPDNSE
2009-10-25 19:21 . 2009-10-25 19:21 -------- d-----w- c:\program files\trend micro
2009-10-25 19:21 . 2009-10-25 19:21 -------- d-----w- C:\rsit
2009-10-25 02:43 . 2009-10-25 02:43 -------- d-----w- c:\temp\ExecLogs
2009-10-25 01:49 . 2009-10-25 18:46 -------- d-----w- c:\temp\MessengerCache
2009-10-24 23:17 . 2009-10-24 23:17 -------- d-----r- c:\documents and settings\smansoor\My Pictures
2009-10-24 22:11 . 2009-10-24 22:11 -------- d-----w- c:\temp\VBE
2009-10-24 21:58 . 2009-10-26 01:31 -------- d-----w- c:\temp\W2K
2009-10-24 21:58 . 2009-10-26 01:31 -------- d-----w- c:\temp\EPO
2009-10-24 21:50 . 2009-10-26 01:31 -------- d-----w- c:\temp\RADIA
2009-10-22 22:56 . 2009-10-23 06:16 -------- d-----w- c:\temp\hsperfdata_SMansoor
2009-10-17 18:17 . 2009-10-17 18:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-17 18:14 . 2009-10-17 18:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-10-17 18:13 . 2009-10-17 18:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-16 06:24 . 2009-10-16 06:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-13 16:52 . 2009-10-13 16:52 -------- d-----w- c:\documents and settings\smansoor\dwhelper
2009-10-12 18:02 . 2009-10-12 18:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-12 13:11 . 2009-10-12 13:11 -------- d-sh--w- c:\documents and settings\smansoor\PrivacIE
2009-10-12 13:05 . 2009-10-12 13:05 -------- d-sh--w- c:\documents and settings\smansoor\IETldCache
2009-10-12 12:54 . 2009-10-16 06:23 -------- d-----w- c:\windows\ie8updates
2009-10-12 12:50 . 2009-10-12 12:52 -------- dc-h--w- c:\windows\ie8
2009-10-12 12:48 . 2009-10-12 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-12 12:43 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-12 12:43 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-12 12:43 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-12 12:05 . 2009-10-12 12:05 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 12:05 . 2009-10-12 12:05 -------- d-----w- c:\documents and settings\smansoor\Local Settings\Application Data\Mozilla
2009-09-30 19:57 . 2009-09-30 19:58 -------- d-----w- C:\ERDNT
2009-09-29 18:13 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-29 18:13 . 2008-04-14 10:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-29 18:13 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-29 18:13 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-29 18:13 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-29 18:13 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-29 18:13 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-09-29 18:13 . 2008-04-14 03:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-09-29 18:11 . 2001-08-17 18:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2009-09-29 18:10 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2009-09-29 18:09 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-09-29 18:08 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-09-29 18:07 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2009-09-29 18:06 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2009-09-29 18:05 . 2001-08-18 03:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2009-09-29 18:04 . 2001-08-17 18:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys
2009-09-29 18:03 . 2008-04-14 10:40 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2009-09-29 18:02 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-09-29 18:01 . 2001-08-17 18:49 15872 -c--a-w- c:\windows\system32\dllcache\ne2000.sys
2009-09-29 18:00 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-09-29 17:59 . 2008-04-14 03:09 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2009-09-29 17:58 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-29 17:57 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-09-29 17:56 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2009-09-29 17:55 . 2008-04-14 05:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2009-09-29 17:54 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2009-09-29 17:53 . 2001-08-17 17:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 17:52 . 2001-08-17 18:52 14720 -c--a-w- c:\windows\system32\dllcache\dac960nt.sys
2009-09-29 17:51 . 2001-08-17 17:13 164923 -c--a-w- c:\windows\system32\dllcache\diapi2.sys
2009-09-29 17:50 . 2001-08-17 19:56 137216 -c--a-w- c:\windows\system32\dllcache\atidrae.dll
2009-09-28 20:03 . 2009-10-22 15:15 -------- d-----w- c:\documents and settings\smansoor\Application Data\vlc
2009-09-28 18:49 . 2009-09-28 18:49 -------- d-----w- c:\program files\WinPcap
2009-09-28 18:48 . 2009-09-28 18:48 -------- d-----w- c:\program files\Sector69
2009-09-27 19:44 . 2008-04-14 10:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-27 19:44 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-27 18:03 . 2009-09-27 18:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-27 17:49 . 2009-06-19 20:37 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-27 16:06 . 2009-09-28 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 21:01 . 2007-05-07 16:23 -------- d-----w- c:\program files\Novadigm
2009-10-25 19:43 . 2009-01-16 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 17:43 . 2009-05-27 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Credant
2009-10-24 21:56 . 2007-05-07 21:10 -------- d-----w- c:\program files\Connected
2009-10-17 18:01 . 2007-06-11 15:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-17 13:56 . 2009-08-23 20:53 -------- d-----w- c:\documents and settings\smansoor\Application Data\IObit
2009-10-08 22:09 . 2007-12-26 18:23 420 ----a-w- c:\windows\License.Dat
2009-10-02 01:29 . 2007-05-07 15:54 -------- d-----w- c:\program files\microsoft frontpage
2009-09-30 23:52 . 2007-08-01 00:48 46416 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 18:36 . 2007-05-07 16:24 46416 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 01:45 . 2009-01-09 23:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-27 00:10 . 2009-07-06 00:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-22 14:01 . 2008-09-03 20:56 -------- d-----w- c:\program files\Microsoft
2009-09-22 14:01 . 2009-09-22 14:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-22 14:00 . 2008-02-27 20:03 -------- d-----w- c:\program files\Windows Live
2009-09-22 13:57 . 2009-09-22 13:57 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-22 01:35 . 2009-02-27 20:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 19:54 . 2009-06-21 17:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-21 17:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-09 15:58 . 2009-08-09 15:58 116448 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:35 . 2009-08-04 13:35 61224 ----a-w- c:\documents and settings\smansoor\GoToAssistDownloadHelper.exe
2009-08-01 14:39 . 2009-08-01 14:39 22016 ----a-w- c:\windows\system32\AdobePDF.dll
2008-10-13 13:45 . 2008-09-08 18:54 88 --sh--r- c:\windows\system32\087FC146C5.sys
2008-10-13 13:45 . 2008-09-08 18:40 3818 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="d:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"RUNRADTRAY"="c:\progra~1\Novadigm\radtray.exe" [2008-01-04 241844]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5730144]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"EXCEEDLOGS"="RemoveExceedLogs.exe" - d:\program files\Schlumberger\MAXIS\16C0-147\BIN\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"="EmsServiceHelper.exe" - c:\windows\system32\EMSServiceHelper.exe [2009-04-08 1967464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Connected TaskBar Icon.LNK - c:\program files\Connected\CBSysTray.exe [2007-11-2 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-04 13:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 00:44 34304 ----a-w- c:\windows\system32\ScCertProp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 18:18 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 15:13 161128 ----a-w- c:\windows\system32\CmgShieldNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autochk

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\0\0]
"Script"=changeprofile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\1\0]
"Script"=RadiaVeriClean_040309.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1547161642-861567501-725345543-314035\Scripts\Logon\2\0]
"Script"=remove-aodc.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK
backup=c:\windows\pss\Connected TaskBar Icon.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
path=
backup=c:\windows\pss\Log Printer Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2 (0x2)
"PD91Engine"=3 (0x3)
"PD91Agent"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\RadUIShell.exe"= c:\\Program Files\\Novadigm\\raduishell.exe
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\Connected\\COBackup.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"d:\\Program Files\\FTL\\FTL.exe"=
"d:\\Program Files\\FTL\\FTLAgent.Net.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtProc1.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\ECCenter1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52311:UDP"= 52311:UDP:BES Client
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/8/2009 10:14 404592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/27/2009 12:49 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/27/2009 12:49 46864]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [4/30/2008 14:54 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/8/2009 10:11 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 10:08 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [5/7/2007 17:19 52432]
R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [2/20/2007 13:59 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [6/5/2009 18:05 172210]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [2/17/2009 14:15 315570]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [5/7/2007 17:30 109312]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [3/1/2005 5:43 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [3/1/2005 5:43 10752]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 ThreatFire;ThreatFire;d:\program files\ThreatFire\TFService.exe service --> d:\program files\ThreatFire\TFService.exe service [?]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 10:13 161128]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [1/10/2005 13:49 10240]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 15:22 34064]
S3 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 13:12 693512]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 13:12 910600]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [4/14/2001 0:22 22474]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/27/2009 12:49 33552]
S4 PD9Engine;PD9Engine;c:\program files\Raxco\PerfectDiskRx\PD9Engine.exe [6/18/2007 14:11 689680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-26 c:\windows\Tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hub.slb.com
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - d:\program files\PRMT78\PRMTIE\prmtie5.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - d:\program files\PRMT78\PRMTIE\options.htm
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hub.slb.com/
FF - plugin: c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="14A2AC740BE21EA588D2C33DFD3946F9C5831E008DAA9FC45636D314C5D8E9D2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67948EDD5E5BE2F6E667A9C6AECB7A5D14079C0D6B16936BD8BCA4B07FB9E04F642258608F183BE2ACFB88AFE266F7CF3C9507F00943BB9B171B1B753245D4ABB8AFB6534B1C5755D31288BF6DBB1983F0D3D6FD231E72E45620A754F48CD1B24092C41BC906A482E49D82D39927862656FEDFD6ED294A21A0CA6E0A30F5CAA84A7B13AE4B3D92B79720923A1C2FCDB0A60B6AC2322E9092D49E8276E12669B6FA2022A6A0E9C726729F4666391CB07EEDEDB3AECAB442DC2624EC9E1A0C076ACAB76942B1781B6653A5A0EDCE7EA44D90226A2A2A8F92891AE5AC2C80D6B3B58400D1E2771B9AF16ABF988CCB27D2C142A6B369D24F68838C74B0ECCB7AB2EDC839390E80C585A6BB7E1A2232AC1AE38D7DA6435DCB5D9C2D62DE4FCB30FCCB8AA7F1EDEF3350C7227904AF1AE88A9DCF2E4FB4F6204087FB48116ADF73BCED9214C2D07BDE247BC8C928DD2F7AE9BFBB422E5EDDAC155ED24292757C83D2547BCCE4296C8BDDCB310C4FF5304232FCD54937816992109BDA6E25CEADE450E5369F068A23BC8DA8AFE2B3686F6811EB7955D1087FBA1D2212F07EF58FE1806A84E349B1103DF7E1EDF483C7D555E689D2FEDA7E9CCE5A35CCF2C6915203DA10016F447A3A1A94AFE669E3C85F38CA3464DD2292523F9A7CB19D1BE93C1C916815A180E73B23112CEDEEE8C9190385AF8412EB1A44BDE3853BA38DEAA63E076903D97D9EC26E4E55A5B7A0C726EB14A3DA3FEE8CA943F0BFB6B422267EC3536A5C7C2B6A12545F0E87F98765C0EB289A688A5984D08AB000498CD1D0C4C7C1AB88F2F03880730E1C5F6D13EA31C328057C1FC943181145FE69E409430F2AD1CCC5A9A899762BD6AA505128C1D8722D35BDACD3AC741C8558607CAA7A888F3752A11120C4F322E8484D66A379A941056326E30048ED31FA8DCC198A976AE05828811E191389412A65A073D1462B38302C02FB4B42A21D65822480725F89C8D21A1CC8C983DFB432DA65C1F87CF725E40CF530A4E940ECB7FE2A001EBBC939F5597D8EDC38AEEE4F620C9DCE18C11C8DE7F4BFF0330D7517AF7CE43FB724E3C27C0570EF7546A300995B59FD394972C5084AEB87B6604EDEA68706FB06A64373FBE7F1152608CD79046ACCA521E6C1E016937CB43125501C550FB86B797213F1352C1B51D76AA8248628CD58B785E8E323C23BB77FDE1C131729D89B8D3C525FE92E7A20BCF6B61DECD2BD9E07250907A19C77C5281F16B9A642C68E5C4E458C3F9EA0EF2BCD3CB4E4017AF03FD789B9683C0486D21062BBA31766B6A984F4833F8020"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\CmgShieldNP.dll
c:\windows\system32\ScCertProp.dll

- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\entrshel.dll
c:\windows\system32\entelres.dll
c:\windows\system32\etlog.dll
c:\windows\system32\ETCOMPS.dll
c:\windows\system32\etclires.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-26 20:34
ComboFix-quarantined-files.txt 2009-10-26 01:34
ComboFix2.txt 2009-10-25 18:54
ComboFix3.txt 2009-10-25 01:30
ComboFix4.txt 2009-10-25 00:06

Pre-Run: 12,875,943,936 bytes free
Post-Run: 12,835,786,752 bytes free

Current=3 Default=3 Failed=4 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 8A31B82113B52DF636AEC03C030326FE









Malwarebytes' Anti-Malware 1.41
Database version: 3033
Windows 5.1.2600 Service Pack 3

10/25/2009 20:55:51
mbam-log-2009-10-25 (20-55-51).txt

Scan type: Quick Scan
Objects scanned: 117338
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









Logfile of random's system information tool 1.06 (written by random/random)
Run by smansoor at 2009-10-26 06:55:53
Microsoft Windows XP Professional Service Pack 3
System drive C: has 12 GB (40%) free of 31 GB
Total RAM: 1022 MB (36% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:13 AM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
c:\PROGRA~1\Novadigm\radexecd.exe
c:\PROGRA~1\Novadigm\radsched.exe
c:\PROGRA~1\Novadigm\Radstgms.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\smansoor\Desktop\RSIT.exe
C:\Program Files\trend micro\smansoor.exe
C:\Program Files\BigFix Enterprise\SLB PCS\SLB.PCS.Client.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - D:\Program Files\PRMT78\PRMTIE\prmtie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CMGShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RUNRADTRAY] c:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = lam.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = lam.slb.com
O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: CMG Shield (CMGShield) - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - c:\PROGRA~1\Novadigm\Radstgms.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: ThreatFire - Unknown owner - d:\Program Files\ThreatFire\TFService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13411 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll [2009-08-01 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78104A01-8E71-4F30-9A36-3793799615B4}]
ViewerHelper Class - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll [2005-01-27 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-07-16 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{FF284F5C-7CF9-4682-8701-D467C1DBB99F} - Translator - D:\Program Files\PRMT78\PRMTIE\prmtie.dll [2007-06-15 454656]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"=C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-07-16 111952]
"RUNRADTRAY"=c:\PROGRA~1\Novadigm\radtray.exe [2008-01-04 241844]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\udaterui.exe [2008-11-10 136512]
"EXCEEDLOGS"=d:\Program Files\Schlumberger\MAXIS\16C0-147\bin\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"=C:\WINDOWS\system32\EmsServiceHelper.exe [2009-04-08 1967464]
"Communicator"=C:\Program Files\Microsoft Office Communicator\communicator.exe [2008-12-16 5730144]
"Malwarebytes Anti-Malware (reboot)"=D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2009-10-25 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"=D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
c:\Program Files\Adobe\Distillr\Acrotray.exe [2009-08-01 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe [2007-10-09 2183168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmgShieldUI]
C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskMonitor]
C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe [2007-09-11 65583]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Connected Agent]
D:\Program Files\FTL\FTLAgent.Net.exe [2009-09-22 350024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Email Agent]
D:\Program Files\FTL\FTLAgent.exe [2008-07-31 194192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i-Handbook]
D:\Program Files\Schlumberger\i-Handbook.exe [2008-02-22 9688064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [2007-07-31 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
D:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2007-04-28 8429568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
nvHotkey.dll,Start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2007-04-28 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PerfectDiskRx]
C:\Program Files\Raxco\PerfectDiskRx\PerfectDiskRx.exe [2008-10-13 6030864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
C:\WINDOWS\stsystra.exe [2007-02-19 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
C:\Program Files\Timbuktu Pro\minitb2.exe [2006-10-24 1028096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
c:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-08-01 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
C:\PROGRA~1\Toshiba\BLUETO~1\TosBtMng.exe [2007-07-30 2158592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
C:\PROGRA~1\CONNEC~1\CBSYST~1.EXE [2008-02-27 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
C:\PROGRA~1\COMMON~1\SCHLUM~2\LOGPRI~1.EXE [2007-09-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2
"PD91Engine"=3
"PD91Agent"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CMGShieldNP]
C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2009-08-04 10536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\slbScCertProp]
C:\WINDOWS\system32\ScCertProp.dll [2003-12-19 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Timbuktu Pro]
C:\Program Files\Timbuktu Pro\Hook32.dll [2006-10-24 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\CMGShield]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=NOTICE TO ALL USERS
"legalnoticetext"=Use is restricted to Schlumberger authorized users who must comply with company policies, including but not limited to the Schlumberger Information Security User Standard. Usage is monitored, unauthorized use will be prosecuted. This system may not, under any circumstances, be taken into Cuba, Iran, North Korea, Sudan or Syria.
Refer to http://tradecompliance.slb.com for updates to the list of restricted countries and countries which, without prior authorization, prohibit the importation of encryption software present in this installation. These materials are licensed to or copyright © Schlumberger and/or its affiliates. All rights reserved. There may be a charge for the use or copying of these materials.
By accessing these materials you agree to pay any such fee and comply with all terms and conditions for their use.
"SynchronousMachineGroupPolicy"=0
"SynchronousUserGroupPolicy"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"HonorAutorunSetting"=1
"ForceStartMenuLogOff"=1
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutorunSetting"=
"NoDriveAutoRun"=
"NoDrives"=
"NoResolveSearch"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Novadigm\RadUIShell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe:*:Enabled:Bluetooth Information Exchanger"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe:*:Enabled:Bluetooth Settings"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Novadigm\raduishell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass.exe"
"D:\ExceedNT\exceed.exe"="D:\ExceedNT\exceed.exe:*:Enabled:Exceed for Windows NT"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"D:\Program Files\QuoteTracker\stocks.exe"="D:\Program Files\QuoteTracker\stocks.exe:*:Enabled:QuoteTracker"
"D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe"="D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe:*:Enabled:MbtNav.exe"
"D:\Program Files\VideoLAN\VLC\vlc.exe"="D:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe:*:Enabled:MAXIS© Application"
"D:\Program Files\FileZilla\FileZilla.exe"="D:\Program Files\FileZilla\FileZilla.exe:*:Enabled:FileZilla"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe:*:Enabled:MAXIS© Application"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Novadigm\IntegrationServer\nvdkit.exe"="C:\Novadigm\IntegrationServer\nvdkit.exe:*:enabled:Radia Integration Server"
"C:\Novadigm\ManagementAgent\nvdkit.exe"="C:\Novadigm\ManagementAgent\nvdkit.exe:*:enabled:Radia Management Agent"
"C:\Novadigm\MessagingServer\nvdkit.exe"="C:\Novadigm\MessagingServer\nvdkit.exe:*:enabled:Radia Messaging Server"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:SecureClient Application"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe:*:Enabled:javaw"
"C:\Program Files\OpenSpirit\external\Jre\bin\java.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\java.exe:*:Enabled:java"
"C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe"="C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe:*:Enabled:Petrel 2005: Geological 3D Visualization and Modeling"
"C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe"="C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe:*:Enabled:Petrel 2004: Geological 3D Visualization and Modeling"
"C:\Program Files\FTL\FTL.exe"="C:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"C:\Program Files\FTL\FTLAgent.Net.exe"="C:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:SR_Service.exe"
"C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe"="C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe:*:Enabled:eXceed 7.0"
"C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe:*:Enabled:eXceed 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Communicator"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"

======List of files/folders created in the last 1 months======

2009-10-26 00:53:01 ----D---- C:\WINDOWS\SoftwareDistribution
2009-10-25 21:12:22 ----D---- C:\WINDOWS\LastGood
2009-10-25 21:12:20 ----D---- C:\Program Files\ESET
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\java.exe
2009-10-25 20:34:55 ----A---- C:\ComboFix.txt
2009-10-25 20:31:51 ----D---- C:\WINDOWS\temp
2009-10-25 14:21:13 ----D---- C:\Program Files\trend micro
2009-10-25 14:21:12 ----D---- C:\rsit
2009-10-24 19:06:38 ----A---- C:\log.txt
2009-10-24 18:56:11 ----A---- C:\WINDOWS\zip.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWSC.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWREG.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\sed.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\PEV.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\NIRCMD.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\grep.exe
2009-10-24 18:54:35 ----D---- C:\Qoobox
2009-10-12 07:54:27 ----D---- C:\WINDOWS\ie8updates
2009-10-12 07:50:59 ----HDC---- C:\WINDOWS\ie8
2009-10-12 07:48:58 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-10-12 07:05:17 ----D---- C:\Documents and Settings\smansoor\Application Data\Mozilla
2009-10-01 15:23:59 ----RASHD---- C:\cmdcons
2009-10-01 15:23:24 ----D---- C:\WINDOWS\setupupd
2009-10-01 07:35:14 ----A---- C:\RootRepeal report 10-01-09 (07-35-14).txt
2009-09-30 14:57:45 ----D---- C:\ERDNT
2009-09-30 13:22:36 ----D---- C:\RECYCLER
2009-09-28 15:03:29 ----D---- C:\Documents and Settings\smansoor\Application Data\vlc
2009-09-28 13:49:02 ----D---- C:\Program Files\WinPcap
2009-09-28 13:48:43 ----D---- C:\Program Files\Sector69
2009-09-27 14:44:14 ----A---- C:\WINDOWS\system32\proquota.exe
2009-09-27 14:21:46 ----D---- C:\WINDOWS\ERDNT
2009-09-27 14:08:30 ----RASH---- C:\BOOT.BAK
2009-09-27 14:08:09 ----A---- C:\WINDOWS\UPGRADE.TXT
2009-09-27 14:08:04 ----D---- C:\WINDOWS\setup.pss
2009-09-27 13:03:02 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-09-27 11:59:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-27 11:06:51 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools

======List of files/folders modified in the last 1 months======

2009-10-26 06:56:06 ----D---- C:\WINDOWS\Prefetch
2009-10-26 06:55:56 ----D---- C:\TEMP
2009-10-26 04:12:56 ----D---- C:\WINDOWS\security
2009-10-26 00:59:51 ----D---- C:\Program Files\Novadigm
2009-10-26 00:53:01 ----D---- C:\WINDOWS
2009-10-25 21:12:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-25 21:12:22 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-25 21:12:20 ----D---- C:\Program Files
2009-10-25 21:07:20 ----SHD---- C:\WINDOWS\Installer
2009-10-25 21:07:19 ----D---- C:\Config.Msi
2009-10-25 21:07:15 ----D---- C:\WINDOWS\system32
2009-10-25 21:07:02 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-25 21:00:20 ----D---- C:\Program Files\Common Files
2009-10-25 20:32:53 ----A---- C:\WINDOWS\system.ini
2009-10-25 20:29:42 ----D---- C:\WINDOWS\system32\drivers
2009-10-25 20:29:42 ----D---- C:\WINDOWS\AppPatch
2009-10-25 14:43:31 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 13:48:26 ----D---- C:\WINDOWS\system32\config
2009-10-25 13:27:40 ----D---- C:\WINDOWS\Lhsp
2009-10-25 12:43:05 ----D---- C:\Documents and Settings\All Users\Application Data\Credant
2009-10-24 18:15:11 ----HD---- C:\WINDOWS\inf
2009-10-24 16:56:45 ----D---- C:\Program Files\Connected
2009-10-18 12:05:18 ----A---- C:\WINDOWS\PDSView.INI
2009-10-17 13:27:17 ----SHD---- C:\WINDOWS\CSC
2009-10-17 08:56:10 ----D---- C:\Documents and Settings\smansoor\Application Data\IObit
2009-10-16 01:41:48 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-16 01:41:38 ----RSD---- C:\WINDOWS\assembly
2009-10-16 01:29:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-16 01:28:30 ----D---- C:\WINDOWS\WinSxS
2009-10-16 01:23:51 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-16 01:23:49 ----D---- C:\Program Files\Internet Explorer
2009-10-16 01:23:33 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-14 09:39:32 ----A---- C:\WINDOWS\welltest.INI
2009-10-13 07:22:46 ----D---- C:\WINDOWS\Debug
2009-10-12 08:04:27 ----D---- C:\WINDOWS\system32\en-US
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Media
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Help
2009-10-03 16:23:53 ----SHD---- C:\System Volume Information
2009-10-03 16:23:53 ----D---- C:\WINDOWS\system32\Restore
2009-10-01 20:29:21 ----D---- C:\WINDOWS\msapps
2009-10-01 20:29:21 ----D---- C:\Program Files\microsoft frontpage
2009-10-01 20:29:21 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-01 20:29:20 ----D---- C:\WINDOWS\system
2009-10-01 15:32:50 ----RASH---- C:\boot.ini
2009-09-30 14:37:18 ----D---- C:\WINDOWS\system32\wbem
2009-09-30 13:39:57 ----AC---- C:\WINDOWS\ODBC.INI
2009-09-30 13:39:38 ----A---- C:\WINDOWS\win.ini
2009-09-30 13:31:00 ----SD---- C:\WINDOWS\Tasks
2009-09-30 12:49:41 ----RSD---- C:\WINDOWS\Fonts
2009-09-30 12:49:30 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-09-28 07:01:43 ----D---- C:\WINDOWS\Minidump
2009-09-27 20:45:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-09-27 19:18:23 ----D---- C:\Quarantine
2009-09-27 11:52:12 ----A---- C:\WINDOWS\wininit.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-07-16 52104]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_13073.SYS []
R1 Tb2Device;TB2 Remote Control Driver; C:\WINDOWS\NetopiaRC\Tb2Device.sys [2006-08-23 7244]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver; C:\WINDOWS\NetopiaRC\Tb2MirrorSys.sys [2006-08-23 15439]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 Tosrfcom;Bluetooth RFCOMM; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2007-05-24 64000]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter; C:\WINDOWS\system32\drivers\bcmwlnpf.sys [2007-10-09 33664]
R2 DefragFS;DefragFS; C:\WINDOWS\system32\drivers\DefragFS.sys [2008-08-28 71184]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 ETFSDNT;Entrust File System Hook; \??\C:\WINDOWS\system32\etfsdrv.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 vddidecr;Digital Delivery Decrypting Device; C:\WINDOWS\system32\drivers\vddidecr.sys [2005-08-18 109312]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-03-13 160256]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-10-09 1123328]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2008-04-30 23552]
R3 Egatebus;Egatebus; C:\WINDOWS\system32\drivers\egatebus.sys [2005-03-01 11264]
R3 Egaterdr;Egaterdr; C:\WINDOWS\system32\drivers\egaterdr.sys [2005-03-01 10752]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 guardian2;guardian2; C:\WINDOWS\System32\Drivers\oz776.sys [2007-02-23 56576]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-11-02 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-11-02 209152]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-07-16 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-07-16 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-07-16 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-07-16 174952]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-04-28 6727136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-02-19 1228296]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-10-18 38288]
R3 tosporte;Bluetooth COM Port; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2006-10-10 41600]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-14 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-11-02 730112]
S2 R72_NT4;R72_NT4; C:\WINDOWS\system32\drivers\R72_NT4.sys []
S2 R72V2NT4;R72V2NT4; C:\WINDOWS\system32\drivers\R72V2NT4.sys []
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-14 48128]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-14 38912]
S3 catchme;catchme; \??\C:\schrauber\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 CmgShieldNP;CmgShieldNP; C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-14 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 ptiusbf;PTI USB Filter; C:\WINDOWS\SYSTEM32\DRIVERS\PTIUSBF.SYS [2001-04-14 22474]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 tosrfbd;Bluetooth RFBUS; C:\WINDOWS\system32\DRIVERS\tosrfbd.sys [2007-04-24 113920]
S3 tosrfbnp;Bluetooth RFBNEP; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2006-11-20 36480]
S3 Tosrfhid;Bluetooth RFHID; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2007-03-01 73728]
S3 tosrfnds;Bluetooth Personal Area Network; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612]
S3 tosrfusb;Bluetooth USB Controller; C:\WINDOWS\system32\DRIVERS\tosrfusb.sys [2007-04-10 41856]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2005-05-13 28672]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgentSrv;Connected Agent Service; C:\Program Files\Connected\AgentSrv.EXE [2008-02-27 258048]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BESClient;BES Client; C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe [2009-01-22 2329672]
R2 CMGShield;CMG Shield; C:\WINDOWS\system32\CmgShieldSvc.exe [2009-04-08 2057576]
R2 dsNcService;Juniper Network Connect Service; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [2008-04-30 423280]
R2 EMS;EMS; C:\WINDOWS\system32\EMSService.exe [2009-04-08 709992]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2009-10-25 153376]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2008-07-16 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2008-07-16 54608]
R2 OracleMTSRecoveryService;OracleMTSRecoveryService; C:\oracle\ora10\bin\omtsreco.exe [2005-08-15 57616]
R2 radexecd;HP OVCM Notify Daemon; c:\PROGRA~1\Novadigm\radexecd.exe [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon; c:\PROGRA~1\Novadigm\radsched.exe [2009-06-05 172210]
R2 Radstgms;HP OVCM MSI Redirector; c:\PROGRA~1\Novadigm\Radstgms.exe [2009-02-17 315570]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\StacSV.exe [2007-02-19 90112]
R2 Tb2Launch;Tb2 Launch; C:\Program Files\Timbuktu Pro\tb2launch.exe [2006-10-24 126976]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-10-09 24064]
S2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S2 ThreatFire;ThreatFire; d:\Program Files\ThreatFire\TFService.exe service []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 ETDSVC;Entrust/TrueDelete™; C:\WINDOWS\system32\etdsvc.exe [2004-10-14 10240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-31 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-08-04 16680]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Peer Networking; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PD91Agent;PD91Agent; C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-12-31 693512]
S3 PD91Engine;PD91Engine; C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-12-31 910600]
S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S4 ELIService;Entrust Login Interface; C:\WINDOWS\etlisrv.exe [2004-03-25 28731]
S4 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-04-28 163908]
S4 PD9Engine;PD9Engine; C:\Program Files\Raxco\PerfectDiskRx\PD9Engine.exe [2007-06-18 689680]
S4 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]

-----------------EOF-----------------

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:45 PM

Posted 26 October 2009 - 02:06 PM

Hi,


How is your system running?


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.








Please post back with:
  • Combofix-Logfile
  • Fresh RSIT-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 hartley

hartley
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 26 October 2009 - 06:14 PM

ComboFix 09-10-24.01 - smansoor 10/26/2009 17:53.9.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.585 [GMT -5:00]
Running from: c:\documents and settings\smansoor\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\smansoor\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 22:59 . 2009-10-26 22:59 53248 ----a-w- c:\temp\catchme.dll
2009-10-26 22:53 . 2009-10-26 22:53 -------- d-----w- c:\temp\WPDNSE
2009-10-26 20:16 . 2009-10-26 22:58 -------- d-----w- c:\temp\Excel8.0
2009-10-26 20:16 . 2009-10-26 20:16 -------- d-----w- c:\temp\VBE
2009-10-26 13:24 . 2009-10-26 22:58 -------- d-----w- c:\temp\W2K
2009-10-26 13:24 . 2009-10-26 22:58 -------- d-----w- c:\temp\EPO
2009-10-26 13:24 . 2009-10-26 22:58 -------- d-----w- c:\temp\RADIA
2009-10-26 12:39 . 2009-10-26 22:58 -------- d-----w- c:\temp\MessengerCache
2009-10-25 19:21 . 2009-10-26 11:55 -------- d-----w- c:\program files\trend micro
2009-10-25 19:21 . 2009-10-25 19:21 -------- d-----w- C:\rsit
2009-10-24 23:17 . 2009-10-24 23:17 -------- d-----r- c:\documents and settings\smansoor\My Pictures
2009-10-17 18:17 . 2009-10-17 18:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-17 18:14 . 2009-10-17 18:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-10-17 18:13 . 2009-10-17 18:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-16 06:24 . 2009-10-16 06:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-13 16:52 . 2009-10-13 16:52 -------- d-----w- c:\documents and settings\smansoor\dwhelper
2009-10-12 18:02 . 2009-10-12 18:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-12 13:11 . 2009-10-12 13:11 -------- d-sh--w- c:\documents and settings\smansoor\PrivacIE
2009-10-12 13:05 . 2009-10-12 13:05 -------- d-sh--w- c:\documents and settings\smansoor\IETldCache
2009-10-12 12:54 . 2009-10-16 06:23 -------- d-----w- c:\windows\ie8updates
2009-10-12 12:50 . 2009-10-12 12:52 -------- dc-h--w- c:\windows\ie8
2009-10-12 12:48 . 2009-10-12 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-12 12:43 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-12 12:43 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-12 12:43 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-12 12:05 . 2009-10-12 12:05 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 12:05 . 2009-10-12 12:05 -------- d-----w- c:\documents and settings\smansoor\Local Settings\Application Data\Mozilla
2009-09-30 19:57 . 2009-09-30 19:58 -------- d-----w- C:\ERDNT
2009-09-29 18:13 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-29 18:13 . 2008-04-14 10:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-29 18:13 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-29 18:13 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-29 18:13 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-29 18:13 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-29 18:13 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-09-29 18:13 . 2008-04-14 03:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-09-29 18:11 . 2001-08-17 18:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2009-09-29 18:10 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2009-09-29 18:09 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-09-29 18:08 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-09-29 18:07 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2009-09-29 18:06 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2009-09-29 18:05 . 2001-08-18 03:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2009-09-29 18:04 . 2001-08-17 18:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys
2009-09-29 18:03 . 2008-04-14 10:40 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2009-09-29 18:02 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-09-29 18:01 . 2001-08-17 18:49 15872 -c--a-w- c:\windows\system32\dllcache\ne2000.sys
2009-09-29 18:00 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-09-29 17:59 . 2008-04-14 03:09 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2009-09-29 17:58 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-29 17:57 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-09-29 17:56 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2009-09-29 17:55 . 2008-04-14 05:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2009-09-29 17:54 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2009-09-29 17:53 . 2001-08-17 17:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 17:52 . 2001-08-17 18:52 14720 -c--a-w- c:\windows\system32\dllcache\dac960nt.sys
2009-09-29 17:51 . 2001-08-17 17:13 164923 -c--a-w- c:\windows\system32\dllcache\diapi2.sys
2009-09-29 17:50 . 2001-08-17 19:56 137216 -c--a-w- c:\windows\system32\dllcache\atidrae.dll
2009-09-28 20:03 . 2009-10-22 15:15 -------- d-----w- c:\documents and settings\smansoor\Application Data\vlc
2009-09-28 18:49 . 2009-09-28 18:49 -------- d-----w- c:\program files\WinPcap
2009-09-28 18:48 . 2009-09-28 18:48 -------- d-----w- c:\program files\Sector69
2009-09-27 19:44 . 2008-04-14 10:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-27 19:44 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-27 18:03 . 2009-09-27 18:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-27 17:49 . 2009-06-19 20:37 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-27 17:49 . 2009-06-19 20:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-27 16:06 . 2009-09-28 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 22:12 . 2007-05-07 21:10 -------- d-----w- c:\program files\Connected
2009-10-26 21:01 . 2007-05-07 16:23 -------- d-----w- c:\program files\Novadigm
2009-10-26 12:23 . 2009-01-16 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-26 02:07 . 2009-01-08 15:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-25 17:43 . 2009-05-27 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Credant
2009-10-17 18:01 . 2007-06-11 15:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-17 13:56 . 2009-08-23 20:53 -------- d-----w- c:\documents and settings\smansoor\Application Data\IObit
2009-10-08 22:09 . 2007-12-26 18:23 420 ----a-w- c:\windows\License.Dat
2009-10-02 01:29 . 2007-05-07 15:54 -------- d-----w- c:\program files\microsoft frontpage
2009-09-30 23:52 . 2007-08-01 00:48 46416 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 18:36 . 2007-05-07 16:24 46416 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 01:45 . 2009-01-09 23:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-27 00:10 . 2009-07-06 00:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-22 14:01 . 2008-09-03 20:56 -------- d-----w- c:\program files\Microsoft
2009-09-22 14:01 . 2009-09-22 14:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-22 14:00 . 2008-02-27 20:03 -------- d-----w- c:\program files\Windows Live
2009-09-22 13:57 . 2009-09-22 13:57 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-22 01:35 . 2009-02-27 20:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 19:54 . 2009-06-21 17:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-21 17:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-09 15:58 . 2009-08-09 15:58 116448 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:35 . 2009-08-04 13:35 61224 ----a-w- c:\documents and settings\smansoor\GoToAssistDownloadHelper.exe
2009-08-01 14:39 . 2009-08-01 14:39 22016 ----a-w- c:\windows\system32\AdobePDF.dll
2008-10-13 13:45 . 2008-09-08 18:54 88 --sh--r- c:\windows\system32\087FC146C5.sys
2008-10-13 13:45 . 2008-09-08 18:40 3818 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_00.04.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-26 02:07 . 2009-10-26 02:07 149280 c:\windows\system32\javaws.exe
+ 2009-10-26 02:07 . 2009-10-26 02:07 145184 c:\windows\system32\javaw.exe
+ 2009-10-26 02:07 . 2009-10-26 02:07 145184 c:\windows\system32\java.exe
+ 2009-04-20 17:14 . 2009-10-26 01:58 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2009-04-20 17:14 . 2009-08-01 21:36 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-10-26 02:07 . 2009-10-26 02:07 1757696 c:\windows\Installer\3f06f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="d:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"RUNRADTRAY"="c:\progra~1\Novadigm\radtray.exe" [2008-01-04 241844]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5730144]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-10-26 149280]
"EXCEEDLOGS"="RemoveExceedLogs.exe" - d:\program files\Schlumberger\MAXIS\16C0-147\BIN\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"="EmsServiceHelper.exe" - c:\windows\system32\EMSServiceHelper.exe [2009-04-08 1967464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Connected TaskBar Icon.LNK - c:\program files\Connected\CBSysTray.exe [2007-11-2 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-04 13:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 00:44 34304 ----a-w- c:\windows\system32\ScCertProp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 18:18 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 15:13 161128 ----a-w- c:\windows\system32\CmgShieldNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autochk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK
backup=c:\windows\pss\Connected TaskBar Icon.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
path=
backup=c:\windows\pss\Log Printer Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2 (0x2)
"PD91Engine"=3 (0x3)
"PD91Agent"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\RadUIShell.exe"= c:\\Program Files\\Novadigm\\raduishell.exe
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\Connected\\COBackup.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"d:\\Program Files\\FTL\\FTL.exe"=
"d:\\Program Files\\FTL\\FTLAgent.Net.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtProc1.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\ECCenter1.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52311:UDP"= 52311:UDP:BES Client
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/8/2009 10:14 404592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/27/2009 12:49 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/27/2009 12:49 46864]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [4/30/2008 14:54 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/8/2009 10:11 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 10:08 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [5/7/2007 17:19 52432]
R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [2/20/2007 13:59 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [6/5/2009 18:05 172210]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [2/17/2009 14:15 315570]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [5/7/2007 17:30 109312]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [3/1/2005 5:43 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [3/1/2005 5:43 10752]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 ThreatFire;ThreatFire;d:\program files\ThreatFire\TFService.exe service --> d:\program files\ThreatFire\TFService.exe service [?]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 10:13 161128]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [1/10/2005 13:49 10240]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 15:22 34064]
S3 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 13:12 693512]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 13:12 910600]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [4/14/2001 0:22 22474]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/27/2009 12:49 33552]
S4 PD9Engine;PD9Engine;c:\program files\Raxco\PerfectDiskRx\PD9Engine.exe [6/18/2007 14:11 689680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-26 c:\windows\Tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hub.slb.com
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - d:\program files\PRMT78\PRMTIE\prmtie5.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - d:\program files\PRMT78\PRMTIE\options.htm
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: dell.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hub.slb.com/
FF - plugin: c:\documents and settings\smansoor\Application Data\Mozilla\Firefox\Profiles\7hy4ppd3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 17:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="14A2AC740BE21EA588D2C33DFD3946F9C5831E008DAA9FC45636D314C5D8E9D2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67948EDD5E5BE2F6E667A9C6AECB7A5D14079C0D6B16936BD8BCA4B07FB9E04F642258608F183BE2ACFB88AFE266F7CF3C9507F00943BB9B171B1B753245D4ABB8AFB6534B1C5755D31288BF6DBB1983F0D3D6FD231E72E45620A754F48CD1B24092C41BC906A482E49D82D39927862656FEDFD6ED294A21A0CA6E0A30F5CAA84A7B13AE4B3D92B79720923A1C2FCDB0A60B6AC2322E9092D49E8276E12669B6FA2022A6A0E9C726729F4666391CB07EEDEDB3AECAB442DC2624EC9E1A0C076ACAB76942B1781B6653A5A0EDCE7EA44D90226A2A2A8F92891AE5AC2C80D6B3B58400D1E2771B9AF16ABF988CCB27D2C142A6B369D24F68838C74B0ECCB7AB2EDC839390E80C585A6BB7E1A2232AC1AE38D7DA6435DCB5D9C2D62DE4FCB30FCCB8AA7F1EDEF3350C7227904AF1AE88A9DCF2E4FB4F6204087FB48116ADF73BCED9214C2D07BDE247BC8C928DD2F7AE9BFBB422E5EDDAC155ED24292757C83D2547BCCE4296C8BDDCB310C4FF5304232FCD54937816992109BDA6E25CEADE450E5369F068A23BC8DA8AFE2B3686F6811EB7955D1087FBA1D2212F07EF58FE1806A84E349B1103DF7E1EDF483C7D555E689D2FEDA7E9CCE5A35CCF2C6915203DA10016F447A3A1A94AFE669E3C85F38CA3464DD2292523F9A7CB19D1BE93C1C916815A180E73B23112CEDEEE8C9190385AF8412EB1A44BDE3853BA38DEAA63E076903D97D9EC26E4E55A5B7A0C726EB14A3DA3FEE8CA943F0BFB6B422267EC3536A5C7C2B6A12545F0E87F98765C0EB289A688A5984D08AB000498CD1D0C4C7C1AB88F2F03880730E1C5F6D13EA31C328057C1FC943181145FE69E409430F2AD1CCC5A9A899762BD6AA505128C1D8722D35BDACD3AC741C8558607CAA7A888F3752A11120C4F322E8484D66A379A941056326E30048ED31FA8DCC198A976AE05828811E191389412A65A073D1462B38302C02FB4B42A21D65822480725F89C8D21A1CC8C983DFB432DA65C1F87CF725E40CF530A4E940ECB7FE2A001EBBC939F5597D8EDC38AEEE4F620C9DCE18C11C8DE7F4BFF0330D7517AF7CE43FB724E3C27C0570EF7546A300995B59FD394972C5084AEB87B6604EDEA68706FB06A64373FBE7F1152608CD79046ACCA521E6C1E016937CB43125501C550FB86B797213F1352C1B51D76AA8248628CD58B785E8E323C23BB77FDE1C131729D89B8D3C525FE92E7A20BCF6B61DECD2BD9E07250907A19C77C5281F16B9A642C68E5C4E458C3F9EA0EF2BCD3CB4E4017AF03FD789B9683C0486D21062BBA31766B6A984F4833F8020"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\CmgShieldNP.dll
c:\windows\system32\ScCertProp.dll

- - - - - - - > 'explorer.exe'(2656)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\entrshel.dll
c:\windows\system32\entelres.dll
c:\windows\system32\etlog.dll
c:\windows\system32\ETCOMPS.dll
c:\windows\system32\etclires.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-26 18:01
ComboFix-quarantined-files.txt 2009-10-26 23:01
ComboFix2.txt 2009-10-26 01:34
ComboFix3.txt 2009-10-25 18:54
ComboFix4.txt 2009-10-25 01:30
ComboFix5.txt 2009-10-26 22:49

Pre-Run: 9,538,068,480 bytes free
Post-Run: 9,452,871,680 bytes free

Current=3 Default=3 Failed=4 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 676B8D5129A50006E68CA2629D51B4D1




















Logfile of random's system information tool 1.06 (written by random/random)
Run by smansoor at 2009-10-26 18:01:52
Microsoft Windows XP Professional Service Pack 3
System drive C: has 9 GB (29%) free of 31 GB
Total RAM: 1022 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:06 PM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
c:\PROGRA~1\Novadigm\radexecd.exe
c:\PROGRA~1\Novadigm\radsched.exe
c:\PROGRA~1\Novadigm\Radstgms.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\smansoor\Desktop\RSIT.exe
C:\Program Files\trend micro\smansoor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - D:\Program Files\PRMT78\PRMTIE\prmtie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CMGShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RUNRADTRAY] c:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = lam.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = lam.slb.com
O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: CMG Shield (CMGShield) - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - c:\PROGRA~1\Novadigm\Radstgms.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: ThreatFire - Unknown owner - d:\Program Files\ThreatFire\TFService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13067 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll [2009-08-01 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78104A01-8E71-4F30-9A36-3793799615B4}]
ViewerHelper Class - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll [2005-01-27 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-07-16 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{FF284F5C-7CF9-4682-8701-D467C1DBB99F} - Translator - D:\Program Files\PRMT78\PRMTIE\prmtie.dll [2007-06-15 454656]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"=C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-07-16 111952]
"RUNRADTRAY"=c:\PROGRA~1\Novadigm\radtray.exe [2008-01-04 241844]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\udaterui.exe [2008-11-10 136512]
"EXCEEDLOGS"=d:\Program Files\Schlumberger\MAXIS\16C0-147\bin\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"=C:\WINDOWS\system32\EmsServiceHelper.exe [2009-04-08 1967464]
"Communicator"=C:\Program Files\Microsoft Office Communicator\communicator.exe [2008-12-16 5730144]
"Malwarebytes Anti-Malware (reboot)"=D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2009-10-25 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"=D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
c:\Program Files\Adobe\Distillr\Acrotray.exe [2009-08-01 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe [2007-10-09 2183168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmgShieldUI]
C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskMonitor]
C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe [2007-09-11 65583]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Connected Agent]
D:\Program Files\FTL\FTLAgent.Net.exe [2009-09-22 350024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Email Agent]
D:\Program Files\FTL\FTLAgent.exe [2008-07-31 194192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i-Handbook]
D:\Program Files\Schlumberger\i-Handbook.exe [2008-02-22 9688064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [2007-07-31 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
D:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2007-04-28 8429568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
nvHotkey.dll,Start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2007-04-28 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PerfectDiskRx]
C:\Program Files\Raxco\PerfectDiskRx\PerfectDiskRx.exe [2008-10-13 6030864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
C:\WINDOWS\stsystra.exe [2007-02-19 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
C:\Program Files\Timbuktu Pro\minitb2.exe [2006-10-24 1028096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
c:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-08-01 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
C:\PROGRA~1\Toshiba\BLUETO~1\TosBtMng.exe [2007-07-30 2158592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
C:\PROGRA~1\CONNEC~1\CBSYST~1.EXE [2008-02-27 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
C:\PROGRA~1\COMMON~1\SCHLUM~2\LOGPRI~1.EXE [2007-09-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2
"PD91Engine"=3
"PD91Agent"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CMGShieldNP]
C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2009-08-04 10536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\slbScCertProp]
C:\WINDOWS\system32\ScCertProp.dll [2003-12-19 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Timbuktu Pro]
C:\Program Files\Timbuktu Pro\Hook32.dll [2006-10-24 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\CMGShield]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=NOTICE TO USERS
"legalnoticetext"=Use is restricted to Schlumberger authorized users who must comply with company policies, including but not limited to the Schlumberger Information Security User Standard. Usage is monitored, unauthorized use will be prosecuted. This system may not, under any circumstances, be taken into Cuba, Syria, Iran, North Korea, or Sudan. Refer to http://tradecompliance.slb.com for updates to the list of restricted countries and countries which, without prior authorization, prohibit the importation of encryption software present in this installation. These materials are licensed to or copyright © Schlumberger and/or its affiliates. All rights reserved. There may be a charge for the use or copying of these materials. By accessing these materials you agree to pay any such fee and comply with all terms and conditions for their use.
"SynchronousMachineGroupPolicy"=0
"SynchronousUserGroupPolicy"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"HonorAutorunSetting"=1
"ForceStartMenuLogOff"=1
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutorunSetting"=
"NoDriveAutoRun"=
"NoDrives"=
"NoResolveSearch"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Novadigm\RadUIShell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe:*:Enabled:Bluetooth Information Exchanger"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe:*:Enabled:Bluetooth Settings"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Novadigm\raduishell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass.exe"
"D:\ExceedNT\exceed.exe"="D:\ExceedNT\exceed.exe:*:Enabled:Exceed for Windows NT"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"D:\Program Files\QuoteTracker\stocks.exe"="D:\Program Files\QuoteTracker\stocks.exe:*:Enabled:QuoteTracker"
"D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe"="D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe:*:Enabled:MbtNav.exe"
"D:\Program Files\VideoLAN\VLC\vlc.exe"="D:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe:*:Enabled:MAXIS© Application"
"D:\Program Files\FileZilla\FileZilla.exe"="D:\Program Files\FileZilla\FileZilla.exe:*:Enabled:FileZilla"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe:*:Enabled:MAXIS© Application"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Novadigm\IntegrationServer\nvdkit.exe"="C:\Novadigm\IntegrationServer\nvdkit.exe:*:enabled:Radia Integration Server"
"C:\Novadigm\ManagementAgent\nvdkit.exe"="C:\Novadigm\ManagementAgent\nvdkit.exe:*:enabled:Radia Management Agent"
"C:\Novadigm\MessagingServer\nvdkit.exe"="C:\Novadigm\MessagingServer\nvdkit.exe:*:enabled:Radia Messaging Server"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:SecureClient Application"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe:*:Enabled:javaw"
"C:\Program Files\OpenSpirit\external\Jre\bin\java.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\java.exe:*:Enabled:java"
"C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe"="C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe:*:Enabled:Petrel 2005: Geological 3D Visualization and Modeling"
"C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe"="C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe:*:Enabled:Petrel 2004: Geological 3D Visualization and Modeling"
"C:\Program Files\FTL\FTL.exe"="C:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"C:\Program Files\FTL\FTLAgent.Net.exe"="C:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:SR_Service.exe"
"C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe"="C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe:*:Enabled:eXceed 7.0"
"C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe:*:Enabled:eXceed 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Communicator"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"

======List of files/folders created in the last 1 months======

2009-10-26 18:01:20 ----A---- C:\ComboFix.txt
2009-10-26 17:58:41 ----D---- C:\WINDOWS\temp
2009-10-26 00:53:01 ----D---- C:\WINDOWS\SoftwareDistribution
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\java.exe
2009-10-25 14:21:13 ----D---- C:\Program Files\trend micro
2009-10-25 14:21:12 ----D---- C:\rsit
2009-10-24 19:06:38 ----A---- C:\log.txt
2009-10-24 18:56:11 ----A---- C:\WINDOWS\zip.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWSC.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWREG.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\sed.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\PEV.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\NIRCMD.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\grep.exe
2009-10-24 18:54:35 ----D---- C:\Qoobox
2009-10-12 07:54:27 ----D---- C:\WINDOWS\ie8updates
2009-10-12 07:50:59 ----HDC---- C:\WINDOWS\ie8
2009-10-12 07:48:58 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-10-12 07:05:17 ----D---- C:\Documents and Settings\smansoor\Application Data\Mozilla
2009-10-01 15:23:59 ----RASHD---- C:\cmdcons
2009-10-01 15:23:24 ----D---- C:\WINDOWS\setupupd
2009-10-01 07:35:14 ----A---- C:\RootRepeal report 10-01-09 (07-35-14).txt
2009-09-30 14:57:45 ----D---- C:\ERDNT
2009-09-30 13:22:36 ----D---- C:\RECYCLER
2009-09-28 15:03:29 ----D---- C:\Documents and Settings\smansoor\Application Data\vlc
2009-09-28 13:49:02 ----D---- C:\Program Files\WinPcap
2009-09-28 13:48:43 ----D---- C:\Program Files\Sector69
2009-09-27 14:44:14 ----A---- C:\WINDOWS\system32\proquota.exe
2009-09-27 14:21:46 ----D---- C:\WINDOWS\ERDNT
2009-09-27 14:08:30 ----RASH---- C:\BOOT.BAK
2009-09-27 14:08:09 ----A---- C:\WINDOWS\UPGRADE.TXT
2009-09-27 14:08:04 ----D---- C:\WINDOWS\setup.pss
2009-09-27 13:03:02 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-09-27 11:59:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-27 11:06:51 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools

======List of files/folders modified in the last 1 months======

2009-10-26 18:01:54 ----D---- C:\TEMP
2009-10-26 17:59:19 ----D---- C:\WINDOWS
2009-10-26 17:59:19 ----A---- C:\WINDOWS\system.ini
2009-10-26 17:56:15 ----D---- C:\WINDOWS\system32\drivers
2009-10-26 17:56:15 ----D---- C:\WINDOWS\system32
2009-10-26 17:56:15 ----D---- C:\WINDOWS\AppPatch
2009-10-26 17:56:11 ----D---- C:\Program Files\Common Files
2009-10-26 17:52:51 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-26 17:51:35 ----D---- C:\WINDOWS\Prefetch
2009-10-26 17:28:07 ----D---- C:\Program Files
2009-10-26 17:12:39 ----D---- C:\Program Files\Connected
2009-10-26 16:01:12 ----D---- C:\Program Files\Novadigm
2009-10-26 07:23:53 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-26 04:18:59 ----D---- C:\WINDOWS\security
2009-10-25 21:12:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-25 21:07:20 ----SHD---- C:\WINDOWS\Installer
2009-10-25 21:07:19 ----D---- C:\Config.Msi
2009-10-25 21:07:02 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-25 13:48:26 ----D---- C:\WINDOWS\system32\config
2009-10-25 13:27:40 ----D---- C:\WINDOWS\Lhsp
2009-10-25 12:43:05 ----D---- C:\Documents and Settings\All Users\Application Data\Credant
2009-10-24 18:15:11 ----HD---- C:\WINDOWS\inf
2009-10-18 12:05:18 ----A---- C:\WINDOWS\PDSView.INI
2009-10-17 13:27:17 ----SHD---- C:\WINDOWS\CSC
2009-10-17 08:56:10 ----D---- C:\Documents and Settings\smansoor\Application Data\IObit
2009-10-16 01:41:48 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-16 01:41:38 ----RSD---- C:\WINDOWS\assembly
2009-10-16 01:29:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-16 01:28:30 ----D---- C:\WINDOWS\WinSxS
2009-10-16 01:23:51 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-16 01:23:49 ----D---- C:\Program Files\Internet Explorer
2009-10-16 01:23:33 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-14 09:39:32 ----A---- C:\WINDOWS\welltest.INI
2009-10-13 07:22:46 ----D---- C:\WINDOWS\Debug
2009-10-12 08:04:27 ----D---- C:\WINDOWS\system32\en-US
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Media
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Help
2009-10-03 16:23:53 ----SHD---- C:\System Volume Information
2009-10-03 16:23:53 ----D---- C:\WINDOWS\system32\Restore
2009-10-01 20:29:21 ----D---- C:\WINDOWS\msapps
2009-10-01 20:29:21 ----D---- C:\Program Files\microsoft frontpage
2009-10-01 20:29:21 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-01 20:29:20 ----D---- C:\WINDOWS\system
2009-10-01 15:32:50 ----RASH---- C:\boot.ini
2009-09-30 14:37:18 ----D---- C:\WINDOWS\system32\wbem
2009-09-30 13:39:57 ----AC---- C:\WINDOWS\ODBC.INI
2009-09-30 13:39:38 ----A---- C:\WINDOWS\win.ini
2009-09-30 13:31:00 ----SD---- C:\WINDOWS\Tasks
2009-09-30 12:49:41 ----RSD---- C:\WINDOWS\Fonts
2009-09-30 12:49:30 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-09-28 07:01:43 ----D---- C:\WINDOWS\Minidump
2009-09-27 20:45:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-09-27 19:18:23 ----D---- C:\Quarantine
2009-09-27 11:52:12 ----A---- C:\WINDOWS\wininit.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-07-16 52104]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_13073.SYS []
R1 Tb2Device;TB2 Remote Control Driver; C:\WINDOWS\NetopiaRC\Tb2Device.sys [2006-08-23 7244]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver; C:\WINDOWS\NetopiaRC\Tb2MirrorSys.sys [2006-08-23 15439]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 Tosrfcom;Bluetooth RFCOMM; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2007-05-24 64000]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter; C:\WINDOWS\system32\drivers\bcmwlnpf.sys [2007-10-09 33664]
R2 DefragFS;DefragFS; C:\WINDOWS\system32\drivers\DefragFS.sys [2008-08-28 71184]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 ETFSDNT;Entrust File System Hook; \??\C:\WINDOWS\system32\etfsdrv.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 vddidecr;Digital Delivery Decrypting Device; C:\WINDOWS\system32\drivers\vddidecr.sys [2005-08-18 109312]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-03-13 160256]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-10-09 1123328]
R3 catchme;catchme; \??\C:\Temp\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2008-04-30 23552]
R3 Egatebus;Egatebus; C:\WINDOWS\system32\drivers\egatebus.sys [2005-03-01 11264]
R3 Egaterdr;Egaterdr; C:\WINDOWS\system32\drivers\egaterdr.sys [2005-03-01 10752]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 guardian2;guardian2; C:\WINDOWS\System32\Drivers\oz776.sys [2007-02-23 56576]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-11-02 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-11-02 209152]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-07-16 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-07-16 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-07-16 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-07-16 174952]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-04-28 6727136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-02-19 1228296]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-10-18 38288]
R3 tosporte;Bluetooth COM Port; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2006-10-10 41600]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-14 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-11-02 730112]
S2 R72_NT4;R72_NT4; C:\WINDOWS\system32\drivers\R72_NT4.sys []
S2 R72V2NT4;R72V2NT4; C:\WINDOWS\system32\drivers\R72V2NT4.sys []
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-14 48128]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-14 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 CmgShieldNP;CmgShieldNP; C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-14 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 ptiusbf;PTI USB Filter; C:\WINDOWS\SYSTEM32\DRIVERS\PTIUSBF.SYS [2001-04-14 22474]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 tosrfbd;Bluetooth RFBUS; C:\WINDOWS\system32\DRIVERS\tosrfbd.sys [2007-04-24 113920]
S3 tosrfbnp;Bluetooth RFBNEP; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2006-11-20 36480]
S3 Tosrfhid;Bluetooth RFHID; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2007-03-01 73728]
S3 tosrfnds;Bluetooth Personal Area Network; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612]
S3 tosrfusb;Bluetooth USB Controller; C:\WINDOWS\system32\DRIVERS\tosrfusb.sys [2007-04-10 41856]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2005-05-13 28672]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgentSrv;Connected Agent Service; C:\Program Files\Connected\AgentSrv.EXE [2008-02-27 258048]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BESClient;BES Client; C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe [2009-01-22 2329672]
R2 CMGShield;CMG Shield; C:\WINDOWS\system32\CmgShieldSvc.exe [2009-04-08 2057576]
R2 dsNcService;Juniper Network Connect Service; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [2008-04-30 423280]
R2 EMS;EMS; C:\WINDOWS\system32\EMSService.exe [2009-04-08 709992]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2008-07-16 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2008-07-16 54608]
R2 OracleMTSRecoveryService;OracleMTSRecoveryService; C:\oracle\ora10\bin\omtsreco.exe [2005-08-15 57616]
R2 radexecd;HP OVCM Notify Daemon; c:\PROGRA~1\Novadigm\radexecd.exe [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon; c:\PROGRA~1\Novadigm\radsched.exe [2009-06-05 172210]
R2 Radstgms;HP OVCM MSI Redirector; c:\PROGRA~1\Novadigm\Radstgms.exe [2009-02-17 315570]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\StacSV.exe [2007-02-19 90112]
R2 Tb2Launch;Tb2 Launch; C:\Program Files\Timbuktu Pro\tb2launch.exe [2006-10-24 126976]
S2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2009-10-25 153376]
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S2 ThreatFire;ThreatFire; d:\Program Files\ThreatFire\TFService.exe service []
S2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-10-09 24064]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 ETDSVC;Entrust/TrueDelete™; C:\WINDOWS\system32\etdsvc.exe [2004-10-14 10240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-31 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-08-04 16680]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Peer Networking; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PD91Agent;PD91Agent; C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-12-31 693512]
S3 PD91Engine;PD91Engine; C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-12-31 910600]
S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S4 ELIService;Entrust Login Interface; C:\WINDOWS\etlisrv.exe [2004-03-25 28731]
S4 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-04-28 163908]
S4 PD9Engine;PD9Engine; C:\Program Files\Raxco\PerfectDiskRx\PD9Engine.exe [2007-06-18 689680]
S4 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]

-----------------EOF-----------------

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:45 PM

Posted 27 October 2009 - 01:08 PM

Hi,

Step 1

Please run Hjackthis, choose do a system scan only and place a check next to the following:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Close all open windows and click on fix checked.




Step 2

Please follow steps 1-3 behind this link to backup your registry with ERUNT (use current date while naming the location).


Please copy/paste the content of the codebox below into notepad and save it as fix.reg to your desktop. Be sure to set save as to "all files".

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\drivers\svchost.exe"=-

Doubleclick on the fix.reg and allow it to merge the info to the registry.

Please post back with a fresh RSIT-Logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 hartley

hartley
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 27 October 2009 - 01:45 PM

Hello Tom,


Logfile of random's system information tool 1.06 (written by random/random)
Run by smansoor at 2009-10-27 13:42:46
Microsoft Windows XP Professional Service Pack 3
System drive C: has 9 GB (29%) free of 31 GB
Total RAM: 1022 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:02 PM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
c:\PROGRA~1\Novadigm\radexecd.exe
c:\PROGRA~1\Novadigm\radsched.exe
c:\PROGRA~1\Novadigm\Radstgms.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\smansoor\Desktop\RSIT.exe
C:\Documents and Settings\smansoor\Desktop\smansoor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - D:\Program Files\PRMT78\PRMTIE\prmtie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CMGShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RUNRADTRAY] c:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT78\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT78\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = lam.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lam.slb.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = lam.slb.com
O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: CMG Shield (CMGShield) - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - c:\PROGRA~1\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - c:\PROGRA~1\Novadigm\Radstgms.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: ThreatFire - Unknown owner - d:\Program Files\ThreatFire\TFService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13190 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll [2009-08-01 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78104A01-8E71-4F30-9A36-3793799615B4}]
ViewerHelper Class - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll [2005-01-27 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-07-16 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{FF284F5C-7CF9-4682-8701-D467C1DBB99F} - Translator - D:\Program Files\PRMT78\PRMTIE\prmtie.dll [2007-06-15 454656]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2009-08-01 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"=C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-07-16 111952]
"RUNRADTRAY"=c:\PROGRA~1\Novadigm\radtray.exe [2008-01-04 241844]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\udaterui.exe [2008-11-10 136512]
"EXCEEDLOGS"=d:\Program Files\Schlumberger\MAXIS\16C0-147\bin\RemoveExceedLogs.exe [2007-09-11 20532]
"EmsService"=C:\WINDOWS\system32\EmsServiceHelper.exe [2009-04-08 1967464]
"Communicator"=C:\Program Files\Microsoft Office Communicator\communicator.exe [2008-12-16 5730144]
"Malwarebytes Anti-Malware (reboot)"=D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2009-10-25 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"=D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
c:\Program Files\Adobe\Distillr\Acrotray.exe [2009-08-01 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe [2007-10-09 2183168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmgShieldUI]
C:\WINDOWS\System32\CMGShieldUI.exe [2009-04-08 247144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskMonitor]
C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe [2007-09-11 65583]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Connected Agent]
D:\Program Files\FTL\FTLAgent.Net.exe [2009-09-22 350024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Email Agent]
D:\Program Files\FTL\FTLAgent.exe [2008-07-31 194192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i-Handbook]
D:\Program Files\Schlumberger\i-Handbook.exe [2008-02-22 9688064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [2007-07-31 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
D:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2007-04-28 8429568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
nvHotkey.dll,Start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2007-04-28 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PerfectDiskRx]
C:\Program Files\Raxco\PerfectDiskRx\PerfectDiskRx.exe [2008-10-13 6030864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
C:\WINDOWS\stsystra.exe [2007-02-19 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
C:\Program Files\Timbuktu Pro\minitb2.exe [2006-10-24 1028096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
c:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-08-01 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
C:\PROGRA~1\Toshiba\BLUETO~1\TosBtMng.exe [2007-07-30 2158592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
C:\PROGRA~1\CONNEC~1\CBSYST~1.EXE [2008-02-27 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Log Printer Manager.lnk]
C:\PROGRA~1\COMMON~1\SCHLUM~2\LOGPRI~1.EXE [2007-09-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PD9Engine"=2
"PD91Engine"=3
"PD91Agent"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CMGShieldNP]
C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2009-08-04 10536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\slbScCertProp]
C:\WINDOWS\system32\ScCertProp.dll [2003-12-19 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Timbuktu Pro]
C:\Program Files\Timbuktu Pro\Hook32.dll [2006-10-24 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\CMGShield]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=NOTICE TO ALL USERS
"legalnoticetext"=Use is restricted to Schlumberger authorized users who must comply with company policies, including but not limited to the Schlumberger Information Security User Standard. Usage is monitored, unauthorized use will be prosecuted. This system may not, under any circumstances, be taken into Cuba, Iran, North Korea, Sudan or Syria.
Refer to http://tradecompliance.slb.com for updates to the list of restricted countries and countries which, without prior authorization, prohibit the importation of encryption software present in this installation. These materials are licensed to or copyright © Schlumberger and/or its affiliates. All rights reserved. There may be a charge for the use or copying of these materials.
By accessing these materials you agree to pay any such fee and comply with all terms and conditions for their use.
"SynchronousMachineGroupPolicy"=0
"SynchronousUserGroupPolicy"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"HonorAutorunSetting"=1
"ForceStartMenuLogOff"=1
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutorunSetting"=
"NoDriveAutoRun"=
"NoDrives"=
"NoResolveSearch"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Novadigm\RadUIShell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc1.exe:*:Enabled:Bluetooth Information Exchanger"
"C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe"="C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECCenter1.exe:*:Enabled:Bluetooth Settings"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Novadigm\ManagementAgent\nvdkit.exe"="C:\Novadigm\ManagementAgent\nvdkit.exe:*:enabled:Radia Management Agent"
"C:\Novadigm\IntegrationServer\nvdkit.exe"="C:\Novadigm\IntegrationServer\nvdkit.exe:*:enabled:Radia Integration Server"
"C:\Novadigm\MessagingServer\nvdkit.exe"="C:\Novadigm\MessagingServer\nvdkit.exe:*:enabled:Radia Messaging Server"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:SecureClient"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe:*:Enabled:javaw"
"C:\Program Files\OpenSpirit\external\Jre\bin\java.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\java.exe:*:Enabled:java"
"C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe"="C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe:*:Enabled:Petrel 2005: Geological 3D Visualization and Modeling"
"C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe"="C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe:*:Enabled:Petrel 2004: Geological 3D Visualization and Modeling"
"C:\Program Files\FTL\FTL.exe"="C:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"C:\Program Files\FTL\FTLAgent.Net.exe"="C:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:SR_Service.exe"
"C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe"="C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass.exe"
"C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe:*:Enabled:eXceed 7.0"
"C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe:*:Enabled:eXceed 9.0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Novadigm\radexecd.exe"="C:\Program Files\Novadigm\radexecd.exe:*:enabled:Radia Notify Daemon"
"C:\Program Files\Novadigm\raduishell.exe"="C:\Program Files\Novadigm\raduishell.exe:*:enabled:Radia Software Manager"
"C:\Program Files\Novadigm\radtray.exe"="C:\Program Files\Novadigm\radtray.exe:*:enabled:Radia System Tray"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\Connected\COBackup.exe"="C:\Program Files\Connected\COBackup.exe:*:Enabled:Connected DataProtector"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"D:\Program Files\FTL\FTL.exe"="D:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"D:\Program Files\FTL\FTLAgent.Net.exe"="D:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass.exe"
"D:\ExceedNT\exceed.exe"="D:\ExceedNT\exceed.exe:*:Enabled:Exceed for Windows NT"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"D:\Program Files\QuoteTracker\stocks.exe"="D:\Program Files\QuoteTracker\stocks.exe:*:Enabled:QuoteTracker"
"D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe"="D:\Program Files\MBTrading\MBT Navigator\MbtNav.exe:*:Enabled:MbtNav.exe"
"D:\Program Files\VideoLAN\VLC\vlc.exe"="D:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\BIN\acq_machine.exe:*:Enabled:MAXIS© Application"
"D:\Program Files\FileZilla\FileZilla.exe"="D:\Program Files\FileZilla\FileZilla.exe:*:Enabled:FileZilla"
"D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe"="D:\Program Files\Schlumberger\MAXIS\16C0-147\PrimaryAPPKITS\bin\acq_machine.exe:*:Enabled:MAXIS© Application"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Novadigm\IntegrationServer\nvdkit.exe"="C:\Novadigm\IntegrationServer\nvdkit.exe:*:enabled:Radia Integration Server"
"C:\Novadigm\ManagementAgent\nvdkit.exe"="C:\Novadigm\ManagementAgent\nvdkit.exe:*:enabled:Radia Management Agent"
"C:\Novadigm\MessagingServer\nvdkit.exe"="C:\Novadigm\MessagingServer\nvdkit.exe:*:enabled:Radia Messaging Server"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:SecureClient Application"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\javaw.exe:*:Enabled:javaw"
"C:\Program Files\OpenSpirit\external\Jre\bin\java.exe"="C:\Program Files\OpenSpirit\external\Jre\bin\java.exe:*:Enabled:java"
"C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe"="C:\Program Files\Schlumberger\Petrel 2005\Petrel 2005.exe:*:Enabled:Petrel 2005: Geological 3D Visualization and Modeling"
"C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe"="C:\Program Files\Schlumberger\Petrel 2004\Petrel 2004.exe:*:Enabled:Petrel 2004: Geological 3D Visualization and Modeling"
"C:\Program Files\FTL\FTL.exe"="C:\Program Files\FTL\FTL.exe:*:Enabled:FTL.exe"
"C:\Program Files\FTL\FTLAgent.Net.exe"="C:\Program Files\FTL\FTLAgent.Net.exe:*:Enabled:FTLAgent.Net.exe"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:SR_Service.exe"
"C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe"="C:\Program Files\Neoteris\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\7.00\Exceed\exceed.exe:*:Enabled:eXceed 7.0"
"C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe"="C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\exceed.exe:*:Enabled:eXceed 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe"="C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Communicator"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"

======List of files/folders created in the last 1 months======

2009-10-27 00:53:19 ----D---- C:\WINDOWS\SoftwareDistribution
2009-10-26 18:01:20 ----A---- C:\ComboFix.txt
2009-10-26 17:58:41 ----D---- C:\WINDOWS\temp
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-25 21:07:15 ----A---- C:\WINDOWS\system32\java.exe
2009-10-25 14:21:13 ----D---- C:\Program Files\trend micro
2009-10-25 14:21:12 ----D---- C:\rsit
2009-10-24 19:06:38 ----A---- C:\log.txt
2009-10-24 18:56:11 ----A---- C:\WINDOWS\zip.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWSC.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\SWREG.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\sed.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\PEV.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\NIRCMD.exe
2009-10-24 18:56:11 ----A---- C:\WINDOWS\grep.exe
2009-10-24 18:54:35 ----D---- C:\Qoobox
2009-10-12 07:54:27 ----D---- C:\WINDOWS\ie8updates
2009-10-12 07:50:59 ----HDC---- C:\WINDOWS\ie8
2009-10-12 07:48:58 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-10-12 07:05:17 ----D---- C:\Documents and Settings\smansoor\Application Data\Mozilla
2009-10-01 15:23:59 ----RASHD---- C:\cmdcons
2009-10-01 15:23:24 ----D---- C:\WINDOWS\setupupd
2009-10-01 07:35:14 ----A---- C:\RootRepeal report 10-01-09 (07-35-14).txt
2009-09-30 14:57:45 ----D---- C:\ERDNT
2009-09-30 13:22:36 ----SHD---- C:\RECYCLER
2009-09-28 15:03:29 ----D---- C:\Documents and Settings\smansoor\Application Data\vlc
2009-09-28 13:49:02 ----D---- C:\Program Files\WinPcap
2009-09-28 13:48:43 ----D---- C:\Program Files\Sector69

======List of files/folders modified in the last 1 months======

2009-10-27 13:43:02 ----D---- C:\TEMP
2009-10-27 13:42:52 ----D---- C:\WINDOWS\Prefetch
2009-10-27 13:30:09 ----D---- C:\WINDOWS\ERDNT
2009-10-27 13:00:32 ----D---- C:\WINDOWS
2009-10-27 12:46:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-27 12:13:59 ----D---- C:\WINDOWS\Lhsp
2009-10-27 10:36:35 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-27 00:59:58 ----D---- C:\Program Files\Novadigm
2009-10-26 20:49:22 ----D---- C:\WINDOWS\security
2009-10-26 17:59:19 ----A---- C:\WINDOWS\system.ini
2009-10-26 17:56:15 ----D---- C:\WINDOWS\system32\drivers
2009-10-26 17:56:15 ----D---- C:\WINDOWS\system32
2009-10-26 17:56:15 ----D---- C:\WINDOWS\AppPatch
2009-10-26 17:56:11 ----D---- C:\Program Files\Common Files
2009-10-26 17:52:51 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-26 17:28:07 ----D---- C:\Program Files
2009-10-26 17:12:39 ----D---- C:\Program Files\Connected
2009-10-25 21:12:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-25 21:07:20 ----SHD---- C:\WINDOWS\Installer
2009-10-25 21:07:19 ----D---- C:\Config.Msi
2009-10-25 21:07:02 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-25 13:48:26 ----D---- C:\WINDOWS\system32\config
2009-10-25 12:43:05 ----D---- C:\Documents and Settings\All Users\Application Data\Credant
2009-10-24 18:15:11 ----HD---- C:\WINDOWS\inf
2009-10-18 12:05:18 ----A---- C:\WINDOWS\PDSView.INI
2009-10-17 13:27:17 ----SHD---- C:\WINDOWS\CSC
2009-10-17 08:56:10 ----D---- C:\Documents and Settings\smansoor\Application Data\IObit
2009-10-16 01:41:48 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-16 01:41:38 ----RSD---- C:\WINDOWS\assembly
2009-10-16 01:29:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-16 01:28:30 ----D---- C:\WINDOWS\WinSxS
2009-10-16 01:23:51 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-16 01:23:49 ----D---- C:\Program Files\Internet Explorer
2009-10-16 01:23:33 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-14 09:39:32 ----A---- C:\WINDOWS\welltest.INI
2009-10-13 07:22:46 ----D---- C:\WINDOWS\Debug
2009-10-12 08:04:27 ----D---- C:\WINDOWS\system32\en-US
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Media
2009-10-12 08:04:25 ----D---- C:\WINDOWS\Help
2009-10-03 16:23:53 ----SHD---- C:\System Volume Information
2009-10-03 16:23:53 ----D---- C:\WINDOWS\system32\Restore
2009-10-01 20:29:21 ----D---- C:\WINDOWS\msapps
2009-10-01 20:29:21 ----D---- C:\Program Files\microsoft frontpage
2009-10-01 20:29:21 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-01 20:29:20 ----D---- C:\WINDOWS\system
2009-10-01 15:32:50 ----RASH---- C:\boot.ini
2009-10-01 15:23:59 ----A---- C:\WINDOWS\UPGRADE.TXT
2009-09-30 14:37:18 ----D---- C:\WINDOWS\system32\wbem
2009-09-30 13:39:57 ----AC---- C:\WINDOWS\ODBC.INI
2009-09-30 13:39:38 ----A---- C:\WINDOWS\win.ini
2009-09-30 13:31:00 ----SD---- C:\WINDOWS\Tasks
2009-09-30 12:49:41 ----RSD---- C:\WINDOWS\Fonts
2009-09-30 12:49:30 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-09-28 07:01:43 ----D---- C:\WINDOWS\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-07-16 52104]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_13073.SYS []
R1 Tb2Device;TB2 Remote Control Driver; C:\WINDOWS\NetopiaRC\Tb2Device.sys [2006-08-23 7244]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver; C:\WINDOWS\NetopiaRC\Tb2MirrorSys.sys [2006-08-23 15439]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 Tosrfcom;Bluetooth RFCOMM; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2007-05-24 64000]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter; C:\WINDOWS\system32\drivers\bcmwlnpf.sys [2007-10-09 33664]
R2 DefragFS;DefragFS; C:\WINDOWS\system32\drivers\DefragFS.sys [2008-08-28 71184]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 ETFSDNT;Entrust File System Hook; \??\C:\WINDOWS\system32\etfsdrv.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 vddidecr;Digital Delivery Decrypting Device; C:\WINDOWS\system32\drivers\vddidecr.sys [2005-08-18 109312]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-03-13 160256]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-10-09 1123328]
R3 catchme;catchme; \??\C:\Temp\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2008-04-30 23552]
R3 Egatebus;Egatebus; C:\WINDOWS\system32\drivers\egatebus.sys [2005-03-01 11264]
R3 Egaterdr;Egaterdr; C:\WINDOWS\system32\drivers\egaterdr.sys [2005-03-01 10752]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 guardian2;guardian2; C:\WINDOWS\System32\Drivers\oz776.sys [2007-02-23 56576]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-11-02 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-11-02 209152]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-07-16 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-07-16 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-07-16 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-07-16 174952]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-04-28 6727136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-02-19 1228296]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-10-18 38288]
R3 tosporte;Bluetooth COM Port; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2006-10-10 41600]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-14 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-11-02 730112]
S2 R72_NT4;R72_NT4; C:\WINDOWS\system32\drivers\R72_NT4.sys []
S2 R72V2NT4;R72V2NT4; C:\WINDOWS\system32\drivers\R72V2NT4.sys []
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-14 48128]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-14 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 CmgShieldNP;CmgShieldNP; C:\WINDOWS\system32\CmgShieldNP.dll [2009-04-08 161128]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-14 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 ptiusbf;PTI USB Filter; C:\WINDOWS\SYSTEM32\DRIVERS\PTIUSBF.SYS [2001-04-14 22474]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 tosrfbd;Bluetooth RFBUS; C:\WINDOWS\system32\DRIVERS\tosrfbd.sys [2007-04-24 113920]
S3 tosrfbnp;Bluetooth RFBNEP; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2006-11-20 36480]
S3 Tosrfhid;Bluetooth RFHID; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2007-03-01 73728]
S3 tosrfnds;Bluetooth Personal Area Network; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612]
S3 tosrfusb;Bluetooth USB Controller; C:\WINDOWS\system32\DRIVERS\tosrfusb.sys [2007-04-10 41856]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2005-05-13 28672]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgentSrv;Connected Agent Service; C:\Program Files\Connected\AgentSrv.EXE [2008-02-27 258048]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BESClient;BES Client; C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe [2009-01-22 2329672]
R2 CMGShield;CMG Shield; C:\WINDOWS\system32\CmgShieldSvc.exe [2009-04-08 2057576]
R2 dsNcService;Juniper Network Connect Service; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [2008-04-30 423280]
R2 EMS;EMS; C:\WINDOWS\system32\EMSService.exe [2009-04-08 709992]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2008-07-16 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2008-07-16 54608]
R2 OracleMTSRecoveryService;OracleMTSRecoveryService; C:\oracle\ora10\bin\omtsreco.exe [2005-08-15 57616]
R2 radexecd;HP OVCM Notify Daemon; c:\PROGRA~1\Novadigm\radexecd.exe [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon; c:\PROGRA~1\Novadigm\radsched.exe [2009-06-05 172210]
R2 Radstgms;HP OVCM MSI Redirector; c:\PROGRA~1\Novadigm\Radstgms.exe [2009-02-17 315570]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\StacSV.exe [2007-02-19 90112]
R2 Tb2Launch;Tb2 Launch; C:\Program Files\Timbuktu Pro\tb2launch.exe [2006-10-24 126976]
R3 PD91Agent;PD91Agent; C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-12-31 693512]
S2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2009-10-25 153376]
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S2 ThreatFire;ThreatFire; d:\Program Files\ThreatFire\TFService.exe service []
S2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-10-09 24064]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 ETDSVC;Entrust/TrueDelete™; C:\WINDOWS\system32\etdsvc.exe [2004-10-14 10240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-31 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2009-08-04 16680]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Peer Networking; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PD91Engine;PD91Engine; C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-12-31 910600]
S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S4 ELIService;Entrust Login Interface; C:\WINDOWS\etlisrv.exe [2004-03-25 28731]
S4 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-04-28 163908]
S4 PD9Engine;PD9Engine; C:\Program Files\Raxco\PerfectDiskRx\PD9Engine.exe [2007-06-18 689680]
S4 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]

-----------------EOF-----------------


Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users