Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Taskmgr, Regedt & some programs not opening...


  • This topic is locked This topic is locked
11 replies to this topic

#1 fpsa_ahmed

fpsa_ahmed

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 25 October 2009 - 09:18 PM

Hi,

The computer that Im having a problem with is a Windows XP SP3. I have MBAM already installed, I ran the quickscan and it campe up with only 2 results, The Taskmanager & Regist Disabled. I check them and click fix, and it restarted the computer. Taskmgr still doesnt work. Some programs I need to open just hang. There are no popups or anysigns of malware/spyware. I'm afraid this could be a root kit. I have another computer on the network that is doing the same thing.

Any help is greatly appreciated, Below is a HJT log.

Thank You!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:49 PM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesLogMeInx86RaMaint.exe
C:Program FilesLogMeInx86LogMeIn.exe
C:Program FilesLogMeInx86LMIGuardian.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesSynergysynergyc.exe
C:WINDOWSExplorer.EXE
C:Program FilesLogMeInx86LogMeInSystray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesLogMeInx86LMIGuardian.exe
C:Program Filesinternet exploreriexplore.exe
C:Program FilesLogMeInx86LogMeIn.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: (no name) - {20160A23-973D-47A9-8807-ABB847FF0E53} - (no file)
O2 - BHO: (no name) - {9C963F92-02A1-4297-969F-BC1C8218EB45} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O2 - BHO: (no name) - {FCB5785A-66A7-434B-87D9-EEA867E1136F} - (no file)
O4 - HKLM..Run: [LogMeIn GUI] "C:Program FilesLogMeInx86LogMeInSystray.exe"
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-Malwarembam.exe" /runcleanupscript
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1247088908761
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://embla.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {E3CF5F1B-C29E-4D21-B695-E1B0E1CB6EC9} (NewHCNetActiveX Control) - http://192.168.1.31/codebase/NewHCNetActiveX.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = chestinstitute.local
O17 - HKLMSoftware..Telephony: DomainName = chestinstitute.local
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = chestinstitute.local
O17 - HKLMSystemCS2ServicesTcpipParameters: Domain = chestinstitute.local
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:Program FilesLogMeInx86RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:Program FilesLogMeInx86LogMeIn.exe
O23 - Service: Synergy Client - Unknown owner - C:Program FilesSynergysynergyc.exe

--
End of file - 4445 bytes

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/25/2009 11:11:52 PM
mbam-log-2009-10-25 (23-11-52).txt

Scan type: Full Scan (C:|)
Objects scanned: 198441
Time elapsed: 37 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Merged posts. ~ OB

Edited by Orange Blossom, 27 October 2009 - 08:16 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:26 AM

Posted 01 November 2009 - 05:14 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 November 2009 - 11:22 AM

Logfile of random's system information tool 1.06 (written by random/random)
Run by administrator at 2009-11-02 11:18:57
Microsoft Windows XP Professional Service Pack 2
System drive C: has 9 GB (16%) free of 57 GB
Total RAM: 1279 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:06 AM, on 11/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gcnh.exe
C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcaed66.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator.FLSA\Desktop\RSIT.exe
C:\Program Files\trend micro\administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237686811164
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {B4CEAEA2-2B51-494C-9CF9-64CD6B131565} (AddPic Control) - https://enjazit.com.sa/AddPicProj3.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://e-mds.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} (Ter Control) - https://netaccess.leememorial.org/NTAPSMS-N...TM/webPrint.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chestinstitute.local
O17 - HKLM\Software\..\Telephony: DomainName = chestinstitute.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2C580FF-212C-48B9-9408-B6BA88F606E4}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chestinstitute.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chestinstitute.local
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe

--
End of file - 4552 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2007-04-17 63048]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2006-07-07 576320]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2006-07-07 600896]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 630784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
C:\WINDOWS\v1201.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
C:\WINDOWS\system32\cvn0.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
C:\Program Files\Athan\Athan.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
C:\WINDOWS\SYSTEM32\nwinlpez.exe [2006-07-26 159881]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
C:\Program Files\KMaestro\KMaestro.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS2]
C:\Program Files\System Files\System.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
c:\\dfndrff_11a.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
C:\WINDOWS\MMKeybd.exe [2001-09-05 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe [2002-08-14 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fmsgmmbA]
C:\WINDOWS\fmsgmmbA.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fuaig]
C:\WINDOWS\system32\jgppfb.exe reg_run []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gdxticrfj]
c:\windows\system32\gdxticrfj.exe -start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Network Registry Agent]
C:\WINDOWS\System32\hpnra.exe [2000-10-26 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2005-02-27 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
EGDACCESS_1074.dll,InstantAccess []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\ipwins\ipwins.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ixtgey]
C:\WINDOWS\system32\jgppfb.exe reg_run []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jvmfpebA]
C:\WINDOWS\jvmfpebA.exe [1989-12-12 1275280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jxie983c]
w19945a9.dll,n 001e983b0000000319945a9 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
c:\\kybrdff_11a.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MailSkinner]
c:\program files\mailskinner\mailskinner.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms0416070-577]
C:\WINDOWS\ms0416070-577.exe [2006-08-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE [2004-10-13 1841664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
C:\DOCUME~1\Lab\MYDOCU~1\ECURIT~1\rundll.exe -vt ndrv []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
C:\\nwnmff_8.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\System32\NvCpl.dll [2003-10-06 5058560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2005-02-27 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPScheduler]
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe [2005-02-27 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSLister]
C:\Program Files\PSLister\PSLister.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\requester]
C:\WINDOWS\System32\requester.11.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rxncyoq]
c:\windows\system32\rxncyoq.exe -start []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [2005-03-04 176239]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
C:\Program Files\SurfSideKick 3\Ssk.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Szmbcsi]
C:\Program Files\Fgxerz\Ntcrvsn.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
C:\Program Files\TClock\tclock_install.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
C:\WINDOWS\SYSC00.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxi]
C:\PROGRA~1\YMANTE~1\MIEXEC~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w24f7e2e.dll]
w24f7e2e.dll,I2 001e983b024f7e2e []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Watchdog]
C:\PROGRA~1\WINNOV~1\Watchdog []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320770-577160]
C:\WINDOWS\win320770-577160.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3209-57716070]
C:\WINDOWS\win3209-57716070.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winnov Menu]
C:\Program Files\Winnov Videum NT\WnvMenu.Exe [2002-03-06 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winnov Remote]
C:\Program Files\Winnov Videum NT\WnvRsvr.Exe [2002-03-06 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winnov Status]
C:\Program Files\Winnov Videum NT\WvStatus.Exe [2002-03-06 125440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsync]
C:\WINDOWS\system32\kypcyr.exe reg_run []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrru]
C:\PROGRA~1\COMMON~1\wrru\wrrum.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\PROGRA~1\DIGITA~1\DLG.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office10\OSA.EXE [2001-02-13 222624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandt Manager.lnk]
C:\REMBRA~1\REMBRA~1\REMBRA~2.EXE [2008-05-07 2039808]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandtManager.lnk]
C:\WINDOWS\Installer\{C267273C-8F10-4E92-8501-FA259098C719}\IconB7FAE9794.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=3
"NMSSvc"=3
"Nhksrv"=2
"MDM"=2
"Creative Service for CDROM Access"=2
"Adobe LM Service"=3
"MCVSRte"=2
"mcupdmgr.exe"=3
"McTskshd.exe"=2
"McDetect.exe"=2
"McShield"=3
"Windows Overlay Components"=2
"Network Monitor"=2
"cmdService"=2
"WinVNC4"=2
"idsvc"=3
"Wnvirq32Service"=3
"ImapService"=2
"aspnet_state"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2007-05-25 63040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=
"NoWelcomeScreen"=
"NoDriveAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office10\EXCEL.EXE"="C:\Program Files\Microsoft Office\Office10\EXCEL.EXE:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kexj.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kexj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\w5a04afb2.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\w5a04afb2.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winyvaq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winyvaq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkmqdw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkmqdw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrijrn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrijrn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhell.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhell.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dkood.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dkood.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvkblqd.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvkblqd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlxccsn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlxccsn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winfcgaip.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winfcgaip.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkywfc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkywfc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrpmko.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrpmko.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqvrn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqvrn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wineykg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wineykg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winwusehm.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winwusehm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winduobm.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winduobm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\npjco.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\npjco.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqnsref.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqnsref.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tdhn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tdhn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gehhv.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gehhv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hpcrf.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hpcrf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhnodsw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhnodsw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qwei.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qwei.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\uxyh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\uxyh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\awkym.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\awkym.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jqwbc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jqwbc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winljxv.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winljxv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvnc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvnc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsqkv.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsqkv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\sllfm.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\sllfm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kcod.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kcod.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvbehs.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvbehs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\aavtop.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\aavtop.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlsqlnl.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlsqlnl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winesfytc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winesfytc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winanlbg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winanlbg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhmyjhy.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhmyjhy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\osdw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\osdw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winumox.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winumox.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dhltxp.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dhltxp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjyuqqa.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjyuqqa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dvuerx.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dvuerx.exe:*:Enabled:ipsec"
"\\SERVER\Clients\Setup\setup.exe"="\\SERVER\Clients\Setup\setup.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\applnch.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\applnch.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wjouxi.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wjouxi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wrxs.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wrxs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcfb43d.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcfb43d.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\mpgec.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\mpgec.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqby.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqby.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvox.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvox.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbfsh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbfsh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hybi.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hybi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wincxpx.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wincxpx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ejqil.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ejqil.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\nnlg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\nnlg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winepgk.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winepgk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\fadpgh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\fadpgh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ronmwd.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ronmwd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\cbkl.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\cbkl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gusyj.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gusyj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wbf61753.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wbf61753.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tqyr.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tqyr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winekwky.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winekwky.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jkhq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jkhq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gcnh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gcnh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcaed66.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcaed66.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkyyftg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkyyftg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpinxf.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpinxf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xcap.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xcap.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windyfvej.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windyfvej.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xogl.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xogl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrjike.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrjike.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vhtptx.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vhtptx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\yehlc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\yehlc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsurnec.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsurnec.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winctot.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winctot.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wpaq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wpaq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\iinr.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\iinr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qagwik.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qagwik.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\bqjciy.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\bqjciy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ahhyvt.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ahhyvt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xjlov.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xjlov.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kgelvu.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kgelvu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbmhqxg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbmhqxg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vdhqg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vdhqg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winmbhry.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winmbhry.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpkaw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpkaw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqbpf.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqbpf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ylby.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ylby.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkbrq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkbrq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbstims.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbstims.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winypflq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winypflq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winheohjp.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winheohjp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winuhgb.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winuhgb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hmrdw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hmrdw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winghjhe.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winghjhe.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsdwupy.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsdwupy.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\Synergy\synergys.exe"="C:\Program Files\Synergy\synergys.exe:*:Enabled:synergys"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:iexplore"

======List of files/folders created in the last 1 months======

2009-11-02 11:18:57 ----D---- C:\rsit
2009-11-02 11:18:57 ----D---- C:\Program Files\trend micro

======List of files/folders modified in the last 1 months======

2009-11-02 11:19:02 ----D---- C:\WINDOWS\Prefetch
2009-11-02 11:18:57 ----AD---- C:\Program Files
2009-11-02 11:17:17 ----A---- C:\WINDOWS\iltwain.ini
2009-11-01 21:19:48 ----D---- C:\WINDOWS\SECURITY
2009-11-01 17:55:42 ----D---- C:\Program Files\LogMeIn
2009-11-01 08:00:13 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-11-01 07:59:47 ----D---- C:\Program Files\Windows NT
2009-11-01 07:59:15 ----D---- C:\Program Files\Windows Media Player
2009-11-01 07:39:05 ----D---- C:\Program Files\Outlook Express
2009-11-01 06:55:40 ----D---- C:\Program Files\Internet Explorer
2009-11-01 01:38:36 ----D---- C:\Program Files\Intuit
2009-10-31 21:43:36 ----D---- C:\Program Files\NetMeeting
2009-10-31 20:36:12 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-30 19:36:20 ----D---- C:\WINDOWS\temp
2009-10-30 19:34:59 ----D---- C:\WINDOWS\system32\DRIVERS
2009-10-30 10:24:09 ----D---- C:\Program Files\PROFOX OXIMETRY
2009-10-30 10:22:47 ----D---- C:\WINDOWS
2009-10-29 12:49:40 ----A---- C:\WINDOWS\ilan_txt.ini
2009-10-27 11:17:55 ----D---- C:\temp
2009-10-27 09:37:29 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-27 09:37:20 ----RASH---- C:\BOOT.INI
2009-10-27 09:37:20 ----A---- C:\WINDOWS\WIN.INI
2009-10-27 09:37:20 ----A---- C:\WINDOWS\system.ini
2009-10-27 09:37:15 ----D---- C:\WINDOWS\pss
2009-10-27 08:41:32 ----D---- C:\WINDOWS\SYSTEM32
2009-10-27 08:41:32 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-17 00:15:53 ----D---- C:\Program Files\Movie Maker
2009-10-13 08:42:49 ----SD---- C:\WINDOWS\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-07-19 17153]
R1 Winnov32;Winnov32; C:\WINDOWS\system32\DRIVERS\Winnov32.sys [2002-03-06 528719]
R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2004-05-17 41984]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2002-09-26 76288]
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 SpeakerPhone;SpeakerPhone; C:\WINDOWS\System32\DRIVERS\HSF_SPKP.sys [2001-08-17 73279]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 abp470n5;abp470n5; \??\C:\WINDOWS\system32\drivers\iiikdi.sys []
R3 DspPdo;PDO Driver; C:\WINDOWS\system32\DRIVERS\DspPdo.sys [2003-03-06 10310]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-04-30 139776]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 LMImirr;LMImirr; C:\WINDOWS\system32\DRIVERS\LMImirr.sys [2007-04-17 10144]
R3 MCSPRKB;Driver for Monet24 with USB interface (MCSPRKB); C:\WINDOWS\System32\Drivers\MCSPRKB.sys [2008-05-07 47337]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Msikbd2k;DellTouch; C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-10-06 1550043]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2006-06-30 21760]
R3 PORTI;Porti Driver; C:\WINDOWS\system32\DRIVERS\PORTI.SYS [2003-03-06 19190]
R3 SNTNLUSB;Rainbow USB SuperPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2002-09-26 26120]
R3 USA19H;USA19H; C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 727908]
R3 USA19H2KP;Keyspan USB Serial Port Driver; C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 44928]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 USBFIB;Fiber to USB Driver; C:\WINDOWS\system32\DRIVERS\usbfib.sys [2003-03-06 17790]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 WnvCOM;WnvCOM; C:\WINDOWS\system32\DRIVERS\WnvCOM.sys [2002-03-06 21536]
R3 WnvKAud;Winnov Kernel Audio; C:\WINDOWS\system32\DRIVERS\WnvKAud.sys [2002-03-06 107232]
R3 WnvKVid;Winnov Kernel Video; C:\WINDOWS\system32\DRIVERS\WnvKVid.sys [2002-03-06 245480]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-03 42496]
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
S3 cyzport;Cyclades-Z Port Driver; C:\WINDOWS\System32\DRIVERS\cyzport.sys [2001-08-17 49792]
S3 DIGIRPS;Digi PortServer Driver; C:\WINDOWS\System32\DRIVERS\digirlpt.sys [2001-08-17 42432]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2002-06-30 1172416]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2002-06-30 167155]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
S3 MCSPRBD;Driver for Artisan with Da Vinci interface (MCSPRBD); C:\WINDOWS\System32\Drivers\MCSPRBD.sys [2008-05-07 92457]
S3 MCSPRIB;Driver for Monet16 with COM interface (MCSPRIB); C:\WINDOWS\System32\Drivers\MCSPRIB.sys [2008-05-07 47881]
S3 MCSPRJB;Driver for Monet16 with USB interface (MCSPRJB); C:\WINDOWS\System32\Drivers\MCSPRJB.sys [2008-05-07 47113]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NMSCFG;NIC Management Service Configuration Driver; \??\C:\WINDOWS\System32\drivers\NMSCFG.SYS []
S3 OM518P;VGA USB Camera (2120); C:\WINDOWS\System32\Drivers\om518vid.sys [2003-06-01 185256]
S3 ossrv;Creative OS Services Driver; C:\WINDOWS\System32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
S3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-09-22 1330048]
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2002-06-30 594832]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2004-08-03 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2004-08-03 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2004-08-03 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2004-08-03 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2007-05-25 112200]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-04-17 63040]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 Synergy Server;Synergy Server; C:\Program Files\Synergy\synergys.exe [2006-04-02 733184]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-09-25 217088]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
S4 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S4 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S4 ImapService;ImapService; C:\WINDOWS\svchost.exe []
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 417792]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]
S4 Nhksrv;Netropa NHK Server; C:\WINDOWS\Nhksrv.exe [2001-08-06 28672]
S4 NMSSvc;Intel® NMS; C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 1118208]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2003-10-06 81920]
S4 Wnvirq32Service;wnvirq32 Service; C:\WINDOWS\system32\wnvirq32.exe [2002-03-06 137216]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2009-11-02 11:20:10

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{59973D03-28D0-43C7-A9C1-189093EBEDD4}
-->MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player-->C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Conexant HSF V92 56K RTAD Speakerphone PCI Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\HXFSETUP.EXE -U -IVEN_14F1&DEV_2016&SUBSYS_021913E0
DVDSentry-->MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
e-MDs Solution Series-->C:\Program Files\InstallShield Installation Information\{FF934B36-183E-4C38-AD0C-A678B6E4EC94}\setup.exe -runfromtemp -l0x0009 -removeonly
e-MDs Support Libraries-->MsiExec.exe /I{F5D1366F-9ABE-40B7-8FFC-FB261092B6F8}
GPL Ghostscript 8.15-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.15\uninstal.txt"
GPL Ghostscript Fonts-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Intel® PRO Ethernet Adapter and Software-->Prounstl.exe
Intel® PROSet II-->MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Internet Explorer Q903235-->C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java 2 Runtime Environment Standard Edition v1.3.1_09-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70F80C1E-5F26-11D7-88D1-0050DA21757E}\Setup.exe" -uninst
KeyMaestro Input Device Driver V2.6.4-73AU-->C:\WINDOWS\system32\KmRemove.exe
Keyspan USB Serial Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E97DE76-851A-48AA-A0D6-665860FAD9CA}\Setup.exe" -l0x9
LogMeIn-->MsiExec.exe /I{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework (English) v1.0.3705-->C:\WINDOWS\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework (English)-->MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft XML Parser-->MsiExec.exe /I{2A0E6C1F-0304-4A34-979F-6C3983E1B2DA}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
NVIDIA Display Driver-->C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
Palm Desktop-->MsiExec.exe /X{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}
PROFOX Oximetry-->MsiExec.exe /X{3BC2DF06-3D28-11D4-8A7C-004854672976}
QuickBooks Pro Edition 2003-->C:\Program Files\Installshield Installation Information\{237a4b22-78c2-11d6-a394-00104bd190b1}\QBReplace.exe {237a4b22-78c2-11d6-a394-00104bd190b1}#{AD46C591-FB19-11D5-A316-00104BD190B1}
RedMon - Redirection Port Monitor-->C:\WINDOWS\system32\unredmon.exe
REMbrandt 9.0-->MsiExec.exe /I{EA2EEC64-6C5C-4EE5-A79D-D524CCAE73FA}
ScanSoft PaperPort 10.0-->MsiExec.exe /I{FEC56D56-5E4A-4AE0-94E6-823193E62E9A}
ScanSoft PDF Create 2.0-->MsiExec.exe /I{6870FD05-9324-4E8A-90EB-6DBDAC29B74F}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893066)-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Sentinel System Driver 5.41.0 (32-bit)-->MsiExec.exe /I{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}
Smartcard Reader Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03B41AD8-962D-40F6-8E8E-6C2008A3623E}\setup.exe" -l0x9 -removeonly
Synergy-->"C:\Program Files\Synergy\uninstall.exe"
Unknown Device Identifier 6.01-->"C:\Program Files\Unknown Device Identifier\unins000.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
WebEx-->C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
Winnov Videum-->"C:\Program Files\Winnov Videum NT\WvUninst" C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Winnov Videum NT\DeIsL1.isu"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: McAfee VirusScan Professional

======System event log======

Computer Name: SLEEP01
Event Code: 20
Message: Printer Driver HP Color LaserJet 4600 PCL6 for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, hpzpi5in.DLL, hpc46016.GPD, UNIDRV.HLP, hplj4600.CFG, hpc46006.XML, hpzsc5in.DTD, hpc4600c.INI, hpzui5in.DLL, hpzpe5in.DLL, hpz6r5in.DLL, hpcdmc32.DLL, hpbcfgre.DLL, HPBMIAPI.DLL, HPBOID.DLL, HPBOIDPS.DLL, HPBPRO.DLL, HPBPROPS.DLL, HPZIPM12.DLL, HPZINW12.DLL, HPZIPT12.DLL, HPZIPR12.DLL, HPZISN12.DLL, HPZIDR12.DLL, HPNRA.EXE, HPBNRAC2.DLL, HPBMINI.DLL, hpceac06.hpi, HPJCMN2U.DLL, HPJIPX1U.DLL, hpz6m5in.GPD, hpzsm5in.GPD, hpzst5in.DLL, hpz3c5in.dll, hpzur5in.dll, hpzev5in.DLL, pclxl.DLL, pjl.GPD, pclxl.GPD, HPZHL5in.CAB, STDNAMES.GPD, HPFIE5in.DLL, hpzls5in.DLL, hpzss5in.DLL, hpzpnp.dll, UNIRES.DLL, UNIDRVUI.DLL.

Record Number: 29474
Source Name: Print
Time Written: 20090814110057.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SLEEP01
Event Code: 20
Message: Printer Driver HP Color LaserJet 4600 PCL6 for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, hpzpi5in.DLL, hpc46016.GPD, UNIDRV.HLP, hplj4600.CFG, hpc46006.XML, hpzsc5in.DTD, hpc4600c.INI, hpzui5in.DLL, hpzpe5in.DLL, hpz6r5in.DLL, hpcdmc32.DLL, hpbcfgre.DLL, HPBMIAPI.DLL, HPBOID.DLL, HPBOIDPS.DLL, HPBPRO.DLL, HPBPROPS.DLL, HPZIPM12.DLL, HPZINW12.DLL, HPZIPT12.DLL, HPZIPR12.DLL, HPZISN12.DLL, HPZIDR12.DLL, HPNRA.EXE, HPBNRAC2.DLL, HPBMINI.DLL, hpceac06.hpi, HPJCMN2U.DLL, HPJIPX1U.DLL, hpz6m5in.GPD, hpzsm5in.GPD, hpzst5in.DLL, hpz3c5in.dll, hpzur5in.dll, hpzev5in.DLL, pclxl.DLL, pjl.GPD, pclxl.GPD, HPZHL5in.CAB, STDNAMES.GPD, HPFIE5in.DLL, hpzls5in.DLL, hpzss5in.DLL, hpzpnp.dll, UNIRES.DLL, UNIDRVUI.DLL.

Record Number: 29468
Source Name: Print
Time Written: 20090814091036.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SLEEP01
Event Code: 20
Message: Printer Driver Brother HL-2170W series for Windows NT x86 Version-3 was added or updated. Files:- BROHL07A.DLL, BRUHL07A.DLL, BH2170W.PDD, BROHL07A.CHM, BH2170W.INI, BH2170W.DAT, BW2170W.INI, BE2170W.DAT, BRLHL07A.DLL, BRSP107A.DLL, BRSP207A.DLL, BRQIKMON.EXE, BRQIKMON.CHM, BRMD05A.EXE, BRB1L07A.DLL, BRB2L07A.DLL, BRB3L07A.DLL.

Record Number: 29467
Source Name: Print
Time Written: 20090814091035.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SLEEP01
Event Code: 20
Message: Printer Driver Ricoh Aficio 200/250 PCL for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, RIAF250.GPD, UNIDRV.HLP, RICOHRES.DLL, TTFSUB.GPD, UNIRES.DLL, STDNAMES.GPD.

Record Number: 29466
Source Name: Print
Time Written: 20090814091035.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SLEEP01
Event Code: 20
Message: Printer Driver TPS APW Fax Printer for Windows NT x86 Version-2 was added or updated. Files:- RASDD.DLL, RASDDUI.DLL, APFPDENT.DLL.

Record Number: 29320
Source Name: Print
Time Written: 20090813184228.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: SLEEP01
Event Code: 1053
Message: Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.

Record Number: 18329
Source Name: Userenv
Time Written: 20080617173617.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SLEEP01
Event Code: 1053
Message: Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.

Record Number: 18308
Source Name: Userenv
Time Written: 20080603112910.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SLEEP01
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: WindowsFormsIntegration, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35


Record Number: 18305
Source Name: .NET Runtime Optimization Service
Time Written: 20080603022535.000000-300
Event Type:
User:

Computer Name: SLEEP01
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: UIAutomationClient, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35


Record Number: 18303
Source Name: .NET Runtime Optimization Service
Time Written: 20080603022534.000000-300
Event Type:
User:

Computer Name: SLEEP01
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: UIAutomationClientsideProviders, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35


Record Number: 18301
Source Name: .NET Runtime Optimization Service
Time Written: 20080603022534.000000-300
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\PROGRA~1\e-MDs\SOLUTI~1\Apps
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:26 AM

Posted 02 November 2009 - 08:24 PM

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Services
    LMIRfsClientNP
    ImapService
    abp470n5
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS2]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fmsgmmbA]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fuaig]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gdxticrfj]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ixtgey]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jvmfpebA]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jxie983c]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MailSkinner]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms0416070-577]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSLister]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\requester]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rxncyoq]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Szmbcsi]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxi]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w24f7e2e.dll]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Watchdog]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320770-577160]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3209-57716070]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsync]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrru]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Windows Overlay Components"=-
    "Network Monitor"=-
    "cmdService"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=-
    "DisableRegistryTools"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableLUA"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    ""=-
    "NoWelcomeScreen"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "\\SERVER\Clients\Setup\setup.exe"="\\SERVER\Clients\Setup\setup.exe:*:Enabled:ipsec"
    :Files
    C:\WINDOWS\SYSTEM32\nwinlpez.exe
    C:\WINDOWS\jvmfpebA.exe
    C:\WINDOWS\ms0416070-577.exe
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Then

Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\DRIVERS\DspPdo.sys

Please post back with the link to the scan results, in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Please post back here with the following logs:
  • OTM results
  • MBAM log
  • Jotti\VT link
  • New Rsit log
Thanks

unite.jpg


#5 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 03 November 2009 - 12:21 PM

Hey Syler,

Thank you for your help. I really appreciate your help. I posted all the logs you need below except for the link for the online virus scan both website would not open... I wanted to let you know that almost all the computers on the network have the same symptoms, they are about 9 computers. It doesnt seem that they have any kind of AV or Anti-Malware/Spyware. If you can help me get these computers in shape I would really appreciate it!

Let me know if you need anything else from the current computer...
Thank you!!




All processes killed
========== SERVICES/DRIVERS ==========

Service\Driver LMIRfsClientNP deleted successfully.

Service\Driver ImapService deleted successfully.

Service\Driver abp470n5 deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS2\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fmsgmmbA\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fuaig\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gdxticrfj\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ixtgey\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jvmfpebA\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jxie983c\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MailSkinner\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms0416070-577\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSLister\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\requester\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rxncyoq\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Szmbcsi\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxi\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w24f7e2e.dll\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Watchdog\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320770-577160\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3209-57716070\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsync\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrru\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\Windows Overlay Components deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\Network Monitor deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\cmdService deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\\EnableLUA deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\\NoWelcomeScreen deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\"%windir%\system32\sessmgr.exe"|"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\"\\SERVER\Clients\Setup\setup.exe"|"\\SERVER\Clients\Setup\setup.exe:*:Enabled:ipsec" /E : value set successfully!
========== FILES ==========
C:\WINDOWS\SYSTEM32\nwinlpez.exe moved successfully.
C:\WINDOWS\jvmfpebA.exe moved successfully.
C:\WINDOWS\ms0416070-577.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Administrator.CHESTINSTITUTE
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 957285 bytes

User: Administrator.FLSA
->Temp folder emptied: 135748747 bytes
->Temporary Internet Files folder emptied: 123813454 bytes
->Java cache emptied: 65387 bytes

User: Ahmed
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: ahmedelgendy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: halmoumani
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: jeff
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Lab
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 147590 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 19528 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_10fc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 56472 bytes
RecycleBin emptied: 1181101187 bytes

Total Files Cleaned = 1375.22 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11032009_112718

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_10fc.dat not found!

Registry entries deleted on Reboot...

==========================================================================

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/3/2009 11:55:06 AM
mbam-log-2009-11-03 (11-55-06).txt

Scan type: Quick Scan
Objects scanned: 147382
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


=========================================================================

Logfile of random's system information tool 1.06 (written by random/random)
Run by administrator at 2009-11-03 12:18:34
Microsoft Windows XP Professional Service Pack 2
System drive C: has 10 GB (18%) free of 57 GB
Total RAM: 1279 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:40 PM, on 11/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\internet explorer\iexplore.exe
\Server\florida lung & sleep associates\IT\Tools\RSIT.exe
C:\Program Files\trend micro\administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237686811164
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {B4CEAEA2-2B51-494C-9CF9-64CD6B131565} (AddPic Control) - https://enjazit.com.sa/AddPicProj3.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://e-mds.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} (Ter Control) - https://netaccess.leememorial.org/NTAPSMS-N...TM/webPrint.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chestinstitute.local
O17 - HKLM\Software\..\Telephony: DomainName = chestinstitute.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2C580FF-212C-48B9-9408-B6BA88F606E4}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chestinstitute.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chestinstitute.local
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe

--
End of file - 4650 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2007-04-17 136776]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2006-07-07 645952]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2006-07-07 678720]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1385808]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 630784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
c:\\dfndrff_11a.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
C:\WINDOWS\MMKeybd.exe [2001-09-05 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe [2002-08-14 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Network Registry Agent]
C:\WINDOWS\System32\hpnra.exe [2000-10-26 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2005-02-27 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE [2004-10-13 1841664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\System32\NvCpl.dll [2003-10-06 5058560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2005-02-27 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPScheduler]
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe [2005-02-27 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [2005-03-04 176239]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winnov Menu]
C:\Program Files\Winnov Videum NT\WnvMenu.Exe [2002-03-06 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winnov Remote]
C:\Program Files\Winnov Videum NT\WnvRsvr.Exe [2002-03-06 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winnov Status]
C:\Program Files\Winnov Videum NT\WvStatus.Exe [2002-03-06 125440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office10\OSA.EXE [2001-02-13 222624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandt Manager.lnk]
C:\REMBRA~1\REMBRA~1\REMBRA~2.EXE [2008-05-07 2039808]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandtManager.lnk]
C:\WINDOWS\Installer\{C267273C-8F10-4E92-8501-FA259098C719}\IconB7FAE9794.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=3
"NMSSvc"=3
"Nhksrv"=2
"MDM"=2
"Creative Service for CDROM Access"=2
"Adobe LM Service"=3
"MCVSRte"=2
"mcupdmgr.exe"=3
"McTskshd.exe"=2
"McDetect.exe"=2
"McShield"=3
"WinVNC4"=2
"idsvc"=3
"Wnvirq32Service"=3
"ImapService"=2
"aspnet_state"=3

C:\Documents and Settings\Administrator.FLSA\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2007-05-25 63040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDriveAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office10\EXCEL.EXE"="C:\Program Files\Microsoft Office\Office10\EXCEL.EXE:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kexj.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kexj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\w5a04afb2.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\w5a04afb2.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winyvaq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winyvaq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkmqdw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkmqdw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrijrn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrijrn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhell.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhell.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dkood.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dkood.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvkblqd.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvkblqd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlxccsn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlxccsn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winfcgaip.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winfcgaip.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkywfc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkywfc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrpmko.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrpmko.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqvrn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqvrn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wineykg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wineykg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winwusehm.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winwusehm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winduobm.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winduobm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\npjco.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\npjco.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqnsref.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqnsref.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tdhn.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tdhn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gehhv.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gehhv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hpcrf.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hpcrf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhnodsw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhnodsw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qwei.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qwei.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\uxyh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\uxyh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\awkym.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\awkym.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jqwbc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jqwbc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winljxv.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winljxv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvnc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvnc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsqkv.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsqkv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\sllfm.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\sllfm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kcod.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kcod.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvbehs.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvbehs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\aavtop.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\aavtop.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlsqlnl.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlsqlnl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winesfytc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winesfytc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winanlbg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winanlbg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhmyjhy.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhmyjhy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\osdw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\osdw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winumox.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winumox.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dhltxp.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dhltxp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjyuqqa.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjyuqqa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dvuerx.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dvuerx.exe:*:Enabled:ipsec"
"\\SERVER\Clients\Setup\setup.exe"="\\SERVER\Clients\Setup\setup.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\applnch.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\applnch.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wjouxi.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wjouxi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wrxs.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wrxs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcfb43d.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcfb43d.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\mpgec.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\mpgec.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqby.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqby.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvox.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvox.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbfsh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbfsh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hybi.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hybi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wincxpx.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wincxpx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ejqil.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ejqil.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\nnlg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\nnlg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winepgk.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winepgk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\fadpgh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\fadpgh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ronmwd.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ronmwd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\cbkl.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\cbkl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gusyj.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gusyj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wbf61753.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wbf61753.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tqyr.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tqyr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winekwky.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winekwky.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jkhq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jkhq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gcnh.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gcnh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcaed66.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcaed66.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkyyftg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkyyftg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpinxf.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpinxf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xcap.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xcap.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windyfvej.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windyfvej.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xogl.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xogl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrjike.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrjike.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vhtptx.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vhtptx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\yehlc.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\yehlc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsurnec.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsurnec.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winctot.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winctot.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wpaq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wpaq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\iinr.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\iinr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qagwik.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qagwik.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\bqjciy.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\bqjciy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ahhyvt.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ahhyvt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xjlov.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xjlov.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kgelvu.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kgelvu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbmhqxg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbmhqxg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vdhqg.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vdhqg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winmbhry.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winmbhry.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpkaw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpkaw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqbpf.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqbpf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ylby.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ylby.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkbrq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkbrq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbstims.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbstims.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winypflq.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winypflq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winheohjp.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winheohjp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winuhgb.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winuhgb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hmrdw.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hmrdw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winghjhe.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winghjhe.exe:*:Enabled:ipsec"
"C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsdwupy.exe"="C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsdwupy.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\Synergy\synergys.exe"="C:\Program Files\Synergy\synergys.exe:*:Enabled:synergys"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:iexplore"

======List of files/folders created in the last 1 months======

2009-11-03 11:27:18 ----D---- C:\_OTM
2009-11-03 11:25:41 ----D---- C:\Program Files\ERUNT
2009-11-02 11:18:57 ----D---- C:\rsit
2009-11-02 11:18:57 ----D---- C:\Program Files\trend micro

======List of files/folders modified in the last 1 months======

2009-11-03 12:01:10 ----D---- C:\WINDOWS\temp
2009-11-03 12:01:10 ----D---- C:\WINDOWS\system32\DRIVERS
2009-11-03 11:59:07 ----D---- C:\WINDOWS\SECURITY
2009-11-03 11:59:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-03 11:56:41 ----D---- C:\Program Files\PROFOX OXIMETRY
2009-11-03 11:56:00 ----D---- C:\WINDOWS
2009-11-03 11:48:26 ----D---- C:\WINDOWS\Prefetch
2009-11-03 11:48:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-03 11:35:31 ----D---- C:\WINDOWS\ERDNT
2009-11-03 11:30:57 ----D---- C:\Program Files\LogMeIn
2009-11-03 11:28:44 ----D---- C:\WINDOWS\SYSTEM32
2009-11-03 11:25:41 ----AD---- C:\Program Files
2009-11-03 10:42:21 ----A---- C:\WINDOWS\iltwain.ini
2009-11-03 10:18:59 ----D---- C:\temp
2009-11-03 09:37:35 ----D---- C:\Program Files\Intuit
2009-11-02 16:22:17 ----A---- C:\WINDOWS\ilan_txt.ini
2009-11-01 08:00:13 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-11-01 07:59:47 ----D---- C:\Program Files\Windows NT
2009-11-01 07:59:15 ----D---- C:\Program Files\Windows Media Player
2009-11-01 07:39:05 ----D---- C:\Program Files\Outlook Express
2009-11-01 06:55:40 ----D---- C:\Program Files\Internet Explorer
2009-10-31 21:43:36 ----D---- C:\Program Files\NetMeeting
2009-10-31 20:36:12 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-27 09:37:20 ----RASH---- C:\BOOT.INI
2009-10-27 09:37:20 ----A---- C:\WINDOWS\WIN.INI
2009-10-27 09:37:20 ----A---- C:\WINDOWS\system.ini
2009-10-27 09:37:15 ----D---- C:\WINDOWS\pss
2009-10-27 08:41:32 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-17 00:15:53 ----D---- C:\Program Files\Movie Maker
2009-10-13 08:42:49 ----SD---- C:\WINDOWS\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-07-19 17153]
R1 Winnov32;Winnov32; C:\WINDOWS\system32\DRIVERS\Winnov32.sys [2002-03-06 528719]
R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2004-05-17 41984]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2002-09-26 76288]
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 SpeakerPhone;SpeakerPhone; C:\WINDOWS\System32\DRIVERS\HSF_SPKP.sys [2001-08-17 73279]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 abp470n5;abp470n5; \??\C:\WINDOWS\system32\drivers\iiikdi.sys []
R3 DspPdo;PDO Driver; C:\WINDOWS\system32\DRIVERS\DspPdo.sys [2003-03-06 10310]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-04-30 139776]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 LMImirr;LMImirr; C:\WINDOWS\system32\DRIVERS\LMImirr.sys [2007-04-17 10144]
R3 MCSPRKB;Driver for Monet24 with USB interface (MCSPRKB); C:\WINDOWS\System32\Drivers\MCSPRKB.sys [2008-05-07 47337]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Msikbd2k;DellTouch; C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-10-06 1550043]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2006-06-30 21760]
R3 PORTI;Porti Driver; C:\WINDOWS\system32\DRIVERS\PORTI.SYS [2003-03-06 19190]
R3 SNTNLUSB;Rainbow USB SuperPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2002-09-26 26120]
R3 USA19H;USA19H; C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 727908]
R3 USA19H2KP;Keyspan USB Serial Port Driver; C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 44928]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 USBFIB;Fiber to USB Driver; C:\WINDOWS\system32\DRIVERS\usbfib.sys [2003-03-06 17790]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 WnvCOM;WnvCOM; C:\WINDOWS\system32\DRIVERS\WnvCOM.sys [2002-03-06 21536]
R3 WnvKAud;Winnov Kernel Audio; C:\WINDOWS\system32\DRIVERS\WnvKAud.sys [2002-03-06 107232]
R3 WnvKVid;Winnov Kernel Video; C:\WINDOWS\system32\DRIVERS\WnvKVid.sys [2002-03-06 245480]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-03 42496]
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
S3 cyzport;Cyclades-Z Port Driver; C:\WINDOWS\System32\DRIVERS\cyzport.sys [2001-08-17 49792]
S3 DIGIRPS;Digi PortServer Driver; C:\WINDOWS\System32\DRIVERS\digirlpt.sys [2001-08-17 42432]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2002-06-30 1172416]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2002-06-30 167155]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
S3 MCSPRBD;Driver for Artisan with Da Vinci interface (MCSPRBD); C:\WINDOWS\System32\Drivers\MCSPRBD.sys [2008-05-07 92457]
S3 MCSPRIB;Driver for Monet16 with COM interface (MCSPRIB); C:\WINDOWS\System32\Drivers\MCSPRIB.sys [2008-05-07 47881]
S3 MCSPRJB;Driver for Monet16 with USB interface (MCSPRJB); C:\WINDOWS\System32\Drivers\MCSPRJB.sys [2008-05-07 47113]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NMSCFG;NIC Management Service Configuration Driver; \??\C:\WINDOWS\System32\drivers\NMSCFG.SYS []
S3 OM518P;VGA USB Camera (2120); C:\WINDOWS\System32\Drivers\om518vid.sys [2003-06-01 185256]
S3 ossrv;Creative OS Services Driver; C:\WINDOWS\System32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
S3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-09-22 1330048]
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2002-06-30 594832]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2004-08-03 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2004-08-03 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2004-08-03 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2004-08-03 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2007-05-25 112200]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-04-17 63040]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 Synergy Server;Synergy Server; C:\Program Files\Synergy\synergys.exe [2006-04-02 733184]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-09-25 217088]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
S4 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S4 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 417792]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]
S4 Nhksrv;Netropa NHK Server; C:\WINDOWS\Nhksrv.exe [2001-08-06 28672]
S4 NMSSvc;Intel® NMS; C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 1118208]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2003-10-06 81920]
S4 Wnvirq32Service;wnvirq32 Service; C:\WINDOWS\system32\wnvirq32.exe [2002-03-06 137216]

-----------------EOF-----------------

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:26 AM

Posted 03 November 2009 - 06:24 PM

fpsa_ahmed,

I wanted to let you know that almost all the computers on the network have the same symptoms, they are about 9 computers. It doesnt seem that they have any kind of AV or Anti-Malware/Spyware. If you can help me get these computers in shape I would really appreciate it!


It sound like these are buisness machines, should'nt you have someone for doing this? I am not going to work on all your machine, I will tell you that the first thing you
need to do is install an AntiVirus for all of them.

If this machine is networked to all the other infected machines you need to disconnect it from the network, otherwise I am not going to be able to clean it.

except for the link for the online virus scan both website would not open


What do you mean the website would not open?


Please make sure to disconnect this machine from the network before continuing with the next steps.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Services
    abp470n5
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\WINDOWS\Explorer.EXE"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kexj.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\w5a04afb2.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winyvaq.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkmqdw.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrijrn.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhell.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dkood.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvkblqd.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlxccsn.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winfcgaip.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkywfc.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrpmko.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqvrn.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wineykg.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winwusehm.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winduobm.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\npjco.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winqnsref.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tdhn.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gehhv.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hpcrf.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhnodsw.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qwei.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\uxyh.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\awkym.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jqwbc.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winljxv.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvnc.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsqkv.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\sllfm.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kcod.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winvbehs.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\aavtop.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winlsqlnl.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winesfytc.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winanlbg.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winhmyjhy.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\osdw.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winumox.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dhltxp.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjyuqqa.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\dvuerx.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\applnch.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wjouxi.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wrxs.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcfb43d.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\mpgec.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqby.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windvox.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbfsh.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hybi.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wincxpx.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ejqil.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\nnlg.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winepgk.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\fadpgh.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ronmwd.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\cbkl.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gusyj.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wbf61753.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\tqyr.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winekwky.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\jkhq.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\gcnh.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wcaed66.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkyyftg.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpinxf.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xcap.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\windyfvej.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xogl.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winrjike.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vhtptx.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\yehlc.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsurnec.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winctot.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\wpaq.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\iinr.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\qagwik.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\bqjciy.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ahhyvt.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\xjlov.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\kgelvu.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbmhqxg.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\vdhqg.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winmbhry.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winpkaw.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winjqbpf.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\ylby.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winkbrq.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winbstims.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winypflq.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winheohjp.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winuhgb.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\hmrdw.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winghjhe.exe"=-
    "C:\DOCUME~1\ADMINI~1.FLS\LOCALS~1\Temp\winsdwupy.exe"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandtManager.lnk]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ImapService"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=-
    "DisableTaskMgr"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableLUA"=-
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Please post back here with the following logs:
  • OTM results
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#7 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 03 November 2009 - 10:35 PM

Hey Syler,

The machine we are working on started everything again from the beginning (task manager is ghost). I didn't know I needed to disconnect it from the network.... I am helping out this office to get their computers straightened out. Is it possible we can talk in private to arrange for something professionally?

Thank You,
Ahmed

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:26 AM

Posted 04 November 2009 - 10:06 AM

Ahmed,

The machine we are working on started everything again from the beginning (task manager is ghost).


What do you mean it started everything again? we have not finished cleaning it yet.

I am helping out this office to get their computers straightened out. Is it possible we can talk in private to arrange for something professionally?


No, I am not going to discuss this privately, if you want all your machine sorted out I suggest that you hire a professional to come in and do it. My services
are not for hire, what I do on here is for free and I do not intend to work on a whole business network.


Syler

unite.jpg


#9 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 05 November 2009 - 04:44 PM

Hey Syler,

Sorry I havent replied back earlier. I am trying to figure out what I am going to do with this office. I scanned on of the files that keep on coming back in the TEMP folder, and the results are below. It seems that all the computers are infected with Sality? I think I have to take everything offline and each computer off the network and try to clean it. I can't find someone locally to help me out. Is there intructions that I can follow to do on each computer?

I know its difficult to take care of 10 computers over a forum, I greatly appreciate your help. Let me know what I should do.

Thank You,
Ahmed


File Info

Report generated: 5.11.2009 at 22.37.52 (GMT 1)
Filename: winymqqi.exe
File size: 11264
MD5 Hash: 4a719b328bfbca567f29f49784f6159d
SHA1 Hash: 29161890FE4DDAB8E2C75885ED3DAF337D138B71
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 19 on 23

Detections

a-squared - Virus.Win32.Sality!IK
Avira AntiVir - BDS/Backdoor.Gen
Avast - Win32:Trojan-gen
AVG - Agent2.MAN
BitDefender - Backdoor.Agent.AAFO
ClamAV - -
Comodo - TrojWare.Win32.Trojan.Agent.~EZH
Dr.Web - Trojan.MailSpam.41
Ewido - -
F-PROT6 - W32/Trojan3.ATP
Ikarus T3 - Virus.Win32.Sality
Kaspersky - Trojan-Downloader.Win32.Agent.bqbt
McAfee - Generic Proxy trojan
NOD32 v3 - Win32/Agent.HLU
Norman - Trojan W32/Horst.gen33
Panda - Trj/Spammer.AND
QuickHeal - Trojan.Agent.ATV
Solo Antivirus - TrojanDownloader.Win32.Agent.Bqbt
Sophos - Mal/Inet-Fam
TrendMicro - -
VBA32 - Trojan-Downloader.Win32.Agent.bqbt
VirusBuster - Trojan.DL.Agent.JFCI
ZonerAntivirus - -

Scan report generated by
NoVirusThanks.org


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:26 AM

Posted 05 November 2009 - 05:06 PM

It seems that all the computers are infected with Sality? I think I have to take everything offline and each computer off the network and try to clean it.


Yes, I think this is waht you need to do aswell.

I can't find someone locally to help me out. Is there instructions that I can follow to do on each computer?


Not really, each machine should be look at and dealt with on it's individual merits.

I know its difficult to take care of 10 computers over a forum, I greatly appreciate your help. Let me know what I should do.


Yes it would be difficult to deal with 10 computers but that is not the only reason I am not going to work on a company's network, I would rather spend my time
helping the home user not businesses, as a business should really have someone in place who can deal with these issues or have the resources to get someone
in to deal with it.

As for letting you know what you should do, I have already told you this here.

If you want me to finish off working on this machine I will do so but other than that you are going to have to find someone professional to do the rest. My suggestion
would be to format and reinstall all the computer, although I don't know if this would be practical for you to do.


Syler

unite.jpg


#11 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 09 November 2009 - 09:10 AM

They asked for my help because they do not have enough "resources". Thank you for your help anyway. Please close this topic.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:26 AM

Posted 09 November 2009 - 12:14 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users