Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Compromised Server


  • Please log in to reply
17 replies to this topic

#1 krajewskil

krajewskil

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 23 May 2007 - 03:42 PM

Hello,

I'm working on a Win2k3 server that was infected w/ "Flood.DaMailer.119" worm (as per Avira AntiVir) and Yahoo Messenger (w/ someone logged in, to boot). I cleaned out the worm, removed Yahoo Messenger, and went through all of the other pre-log posting checks and cleanings. Below is the HJT log from the server. What else do I need to do to make sure it's clean again? Thanks so much for the help.

--LJK


Logfile of HijackThis v1.99.1
Scan saved at 4:12:03 PM, on 5/23/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
D:\Program Files\Bell & Howell\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\system32\lserver.exe
\belmont\BHDMS\Bellhowell.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\VERITAS\Backup Exec\NT\BkupExec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://123logmein.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [] winupdate[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [] winupdate[1].exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: del_lock_net.bat
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F607DDD1-B130-46AA-8E8E-0FC6C1B7FE71}: NameServer = 166.102.165.11,166.102.165.13
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Experience Lookup Service (AeLookupSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Bell & Howell DMS Licensing - GLOBEtrotter Software Inc. - D:\Program Files\Bell & Howell\lmgrd.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Resultant Set of Policy Provider (RSoPProv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\RSoPProv.exe (file missing)
O23 - Service: Special Administration Console Helper (sacsvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 24 May 2007 - 05:33 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum krajewskil :thumbsup:

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

********************************

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

********************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 krajewskil

krajewskil
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 24 May 2007 - 11:32 AM

Here's the latest:

SDFix -- Tried to run RunThis.bat (in Safe Mode); it only blinked. Tried running it from a command prompt to see any error messages. Got "The system cannot find the batch label specified - End". Took a quick look at the batch file and it looks like it wasn't written for Server 2003. (Thought about trying to tweak it to make it work but doing that on a client's production server didn't seem to be a good career move. :thumbsup: )

F-secure online -- Done. Results below.

Combofix -- Got the following message: "Incompatible OS. ComboFix only works for Windows 2000 and XP"

. . . and a new HJT log is at the end. Let me know where we go from here. Thanks.

--LJK

=====

Scanning Report
Thursday, May 24, 2007 09:44:30 - 11:28:03
Computer name: BELMONT
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 6 malware found
JS/Banload.IWG (virus)
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OIVIP407\error.hosting.404[1].htm (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
Trojan.BAT.Regger.b (virus)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B1C0000\4FFFC083.VBN (Renamed & Submitted)
W32/Malware (virus)
D:\old_server\Bell & Howell\FINDER\UNC.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 125513
System: 3852
Not scanned: 55
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
None: 4
Submitted: 3
Files not scanned:
x�x�AGEFILE.SYS
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\LSERVER\EDB.LOG
C:\WINDOWS\SYSTEM32\LSERVER\TLSLIC.EDB
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
bios1.rom
C:\PROGRAM FILES\VERITAS\BACKUP EXEC\NT\DATA\BEDB_DAT.MDF
C:\PROGRAM FILES\VERITAS\BACKUP EXEC\NT\CATALOGS\{137FFBF8-26B8-4B56-A0E3-DE8E2737A6F1}_1.FH.REC.TMP
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$BKUPEXEC\DATA\MASTER.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$BKUPEXEC\DATA\MASTLOG.LDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$BKUPEXEC\DATA\MODEL.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$BKUPEXEC\DATA\MODELLOG.LDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$BKUPEXEC\DATA\MSDBDATA.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$BKUPEXEC\DATA\MSDBLOG.LDF
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\MR_BACKUP\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\MR_BACKUP\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT8\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT8\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT5\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT5\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT4\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT4\LOCAL SETTINGS\TEMP\5\QRP1.TMP
C:\DOCUMENTS AND SETTINGS\CLIENT4\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT20\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT20\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT2\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT2\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT1\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\CLIENT1\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger10.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger11.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger12.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger13.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger2.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger3.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger4.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger5.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylogger6.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PerfectKeylog�:P

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-05-24
F-Secure Blacklight: 1.0.53
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Libra: 2.4.2, 2007-05-23
F-Secure Orion: 1.2.37, 2007-05-24
F-Secure Pegasus: 1.19.0, 2007-04-22
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

=====

Logfile of HijackThis v1.99.1
Scan saved at 11:32:12 AM, on 5/24/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
D:\Program Files\Bell & Howell\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\system32\lserver.exe
\belmont\BHDMS\Bellhowell.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\ZybisAccounting.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\ZybisAccounting.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://123logmein.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [] winupdate[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [] winupdate[1].exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: del_lock_net.bat
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F607DDD1-B130-46AA-8E8E-0FC6C1B7FE71}: NameServer = 166.102.165.11,166.102.165.13
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Experience Lookup Service (AeLookupSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Bell & Howell DMS Licensing - GLOBEtrotter Software Inc. - D:\Program Files\Bell & Howell\lmgrd.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Resultant Set of Policy Provider (RSoPProv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\RSoPProv.exe (file missing)
O23 - Service: Special Administration Console Helper (sacsvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 24 May 2007 - 12:05 PM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [] winupdate[1].exe
O4 - HKLM\..\RunServices: [] winupdate[1].exe

Exit Hijackthis.

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 krajewskil

krajewskil
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 25 May 2007 - 12:10 PM

Here's the results. BTW, should I go ahead and delete all of the "file missing" entries?
--LJK


(DrWeb.csv)
mirc.exe;C:\Documents and Settings\Administrator\Desktop\D-Bot;Program.mIRC.616;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
pv.exe;C:\WINDOWS\xampp\apache\bin;Program.PrcView.3725;Incurable.Moved.;


Logfile of HijackThis v1.99.1
Scan saved at 9:26:51 AM, on 5/25/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
D:\Program Files\Bell & Howell\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\SAV\Rtvscan.exe
\belmont\BHDMS\Bellhowell.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://123logmein.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [] winupdate[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [] winupdate[1].exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: del_lock_net.bat
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F607DDD1-B130-46AA-8E8E-0FC6C1B7FE71}: NameServer = 166.102.165.11,166.102.165.13
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Experience Lookup Service (AeLookupSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Bell & Howell DMS Licensing - GLOBEtrotter Software Inc. - D:\Program Files\Bell & Howell\lmgrd.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Resultant Set of Policy Provider (RSoPProv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\RSoPProv.exe (file missing)
O23 - Service: Special Administration Console Helper (sacsvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 25 May 2007 - 12:19 PM

should I go ahead and delete all of the "file missing" entries?

Yes do that,restart your pc when you've finished and post a new Hijackthis log in your next reply.
Posted Image
Posted Image

#7 krajewskil

krajewskil
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 30 May 2007 - 07:52 AM

OK, it's done. Doesn't look like many of the "file missing" items were removed. Does this need to be done in safe mode?
--LJK


Logfile of HijackThis v1.99.1
Scan saved at 8:43:26 AM, on 5/30/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
D:\Program Files\Bell & Howell\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\system32\lserver.exe
\belmont\BHDMS\Bellhowell.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://123logmein.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [] winupdate[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [] winupdate[1].exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: del_lock_net.bat
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and

settings\administrator\windows\system32\mswsock.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) -

http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) -

http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F607DDD1-B130-46AA-8E8E-0FC6C1B7FE71}: NameServer =

166.102.165.11,166.102.165.13
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Experience Lookup Service (AeLookupSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation

- C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program

Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation -

C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program

Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program

Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Bell & Howell DMS Licensing - GLOBEtrotter Software Inc. - D:\Program Files\Bell &

Howell\lmgrd.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program

Files\SAV\DefWatch.exe
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Resultant Set of Policy Provider (RSoPProv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\RSoPProv.exe (file missing)
O23 - Service: Special Administration Console Helper (sacsvr) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) - Unknown owner - C:\Documents

and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)

#8 krajewskil

krajewskil
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 30 May 2007 - 10:03 AM

Had someone reboot the server into safe mode & tired to remove the "file missing entries". The new log is below.


Logfile of HijackThis v1.99.1
Scan saved at 10:51:23 AM, on 5/30/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bell & Howell\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\system32\lserver.exe
\belmont\BHDMS\Bellhowell.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\VERITAS\Backup Exec\NT\BkupExec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\ZybisAccounting.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\ZybisAccounting.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://123logmein.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [] winupdate[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [] winupdate[1].exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: del_lock_net.bat
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and

settings\administrator\windows\system32\mswsock.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) -

http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) -

http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F607DDD1-B130-46AA-8E8E-0FC6C1B7FE71}: NameServer =

166.102.165.11,166.102.165.13
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Experience Lookup Service (AeLookupSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation

- C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program

Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation -

C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program

Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program

Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Bell & Howell DMS Licensing - GLOBEtrotter Software Inc. - D:\Program Files\Bell &

Howell\lmgrd.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program

Files\SAV\DefWatch.exe
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Resultant Set of Policy Provider (RSoPProv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\RSoPProv.exe (file missing)
O23 - Service: Special Administration Console Helper (sacsvr) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) - Unknown owner - C:\Documents

and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\Documents and

Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 30 May 2007 - 10:05 AM

Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "c:\documents and settings\administrator\windows\system32\mswsock.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.

********************************

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
Then click on 'Send'.
Post the results into your next reply.

********************************

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

********************************

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

As well as the above requested,also post a new Hijackthis log.
Posted Image
Posted Image

#10 krajewskil

krajewskil
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 30 May 2007 - 02:17 PM

Here's the latest:

"c:\documents and settings\administrator\windows\system32" doesn't currently exist on the system. I did double-check my folder options to make sure hidden and system files were shown (they were). For LSPFix, it only found one instance of mswsock.dll. I didn't give any directory names, but I assume it's the one in c:\windows\system32 as that's the only mswsock.dll on the system now. For that reason, I did not delete it. Same deal with smss.exe, except that the only one on the system now is at c:\windows\i386\system32\. For kicks, I ran both of them through VirusTotal and both came back completely clean by all scanners. (I did save the output if you want to see it, but seeing as those weren't exactly the files you wanted and the scans came up clean it seemed like a waste of space to post them.) The Kaspersky scan results are posted below, along with a nicely formatted (sorry 'bout that) HJT log.

BTW, thank you very much for your prompt responses. It has certainly been nice to be able to handle this problem fairly quickly. Could you tell me specifically what issues you see in these logs? It hasn't happened yet, but sooner or later my boss is going to want to know what the status is and what specific problems we're having. (Don't worry about going over our heads; sounding impressive can get good mileage. :thumbsup: )

Thanks again.
LJK


KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 30, 2007 2:15:09 PM
Operating System: Microsoft Windows Server 2003, Standard Edition, Service Pack 1 (Build 3790)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 30/05/2007
Kaspersky Anti-Virus database records: 313644
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 69707
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:28:42

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B1C0000\4FFFC083.0BN Infected: Trojan.BAT.Regger.b skipped
C:\Documents and Settings\Client1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\Del11.DB Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\Del11.MB Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\Del14.MB Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\Del8.DB Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\Del8.MB Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\Tra2025.DB Object is locked skipped
C:\Documents and Settings\Client1\Local Settings\Temp\2\Private\Zybis\Default\Tra2025.MB Object is locked skipped
C:\Documents and Settings\Client1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Client1\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\Del723.DB Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\Del723.MB Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\Del726.DB Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\Del726.MB Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\Del729.MB Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\Tra767.DB Object is locked skipped
C:\Documents and Settings\Client2\Local Settings\Temp\1\Private\Zybis\Default\Tra767.MB Object is locked skipped
C:\Documents and Settings\Client2\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Client2\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Client3\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Client3\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Client3\Local Settings\Temp\5\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Client3\Local Settings\Temp\5\Private\Zybis\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client3\Local Settings\Temp\5\Private\Zybis\Default\Tra1953.MB Object is locked skipped
C:\Documents and Settings\Client3\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Client3\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Application Data\BHLocal\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Application Data\BHLocal\WorkFile.DB Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Temp\3\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Temp\3\INMEM596.REM Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Temp\3\Private\Zybis\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client4\Local Settings\Temp\3\Private\ZybisAccounting\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client4\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Client4\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Client5\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Client5\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Client5\Local Settings\Temp\4\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Client5\Local Settings\Temp\4\Private\Zybis\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client5\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Client5\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Client6\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Client6\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Client6\Local Settings\Temp\7\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Client6\Local Settings\Temp\7\Private\Zybis\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client6\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Client6\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Client7\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Client7\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Client7\Local Settings\Temp\6\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Client7\Local Settings\Temp\6\INMEM161.REM Object is locked skipped
C:\Documents and Settings\Client7\Local Settings\Temp\6\Private\Zybis\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client7\Local Settings\Temp\6\Private\ZybisAccounting\Default\PDOXUSRS.LCK Object is locked skipped
C:\Documents and Settings\Client7\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Client7\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\helpdesk\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\helpdesk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\helpdesk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\helpdesk\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\helpdesk\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\helpdesk\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\helpdesk\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\helpdesk\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mr_backup\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mr_backup\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mr_backup\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mr_backup\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\flexlm\bellhowell Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\LOG\ERRORLOG Object is locked skipped
C:\Program Files\VERITAS\Backup Exec\NT\Data\bedb_dat.mdf Object is locked skipped
C:\Program Files\VERITAS\Backup Exec\NT\Data\bedb_log.ldf Object is locked skipped
C:\Program Files\VERITAS\Backup Exec\NT\Data\msgq0000000000.dat Object is locked skipped
C:\Program Files\VERITAS\Backup Exec\NT\Logs\adamm.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet Explorer.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LMGRD.LOG Object is locked skipped
C:\WINDOWS\system32\LServer\edb.log Object is locked skipped
C:\WINDOWS\system32\LServer\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\LServer\TLSLic.edb Object is locked skipped
C:\WINDOWS\system32\LServer\tmp.edb Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Tasks\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\ChartOfAccounts.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\GL\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Categories.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Categories.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Categories.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Categories.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Categories.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Categories.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Classes.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Classes.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardMerchant.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardMerchant.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardMOP.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardMOP.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardTransaction.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardTransaction.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardTransaction.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardTransaction.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardTransaction.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\CreditCardTransaction.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\LocationID.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\LocationID.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\LocationPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\LocationPreferences.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\LocationPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Makes.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Makes.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Makes.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\Makes.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\MethodsOfPayment.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\MethodsOfPayment.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\MethodsOfPayment.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\MethodsOfPayment.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\MethodsOfPayment.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\MethodsOfPayment.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\PSPSupplierMapping.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\PSPSuppliers.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\SecurityPasswords.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\WorkstationPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\WorkstationPreferences.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Location\WorkstationPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\CustomerCategoryDiscounts.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\CustomerCategoryDiscounts.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG7 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG8 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XG9 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.XGA Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG7 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG8 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YG9 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Customers.YGA Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\CustomerType.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\CustomerType.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\LanguageTranslation.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\LanguageTranslation.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\LanguageTranslation.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\LanguageTranslation.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\LanguageTranslation.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\MainID.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\MainID.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\PDOXUSRS.NET Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\SystemPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\SystemPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\TaxCategories.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\TaxCategories.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\TaxCategories.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\TaxCategories.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Main\Units.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\CostEscalation.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\CostEscalation.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\CostEscalation.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\CostEscalation.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCCatalogs.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCCatalogs.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCCatalogs.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCCatalogs.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCCatalogs.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCCatalogs.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCSuppliers.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCSuppliers.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCSuppliers.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\EPCSuppliers.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\MiscInvoices.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\OrderType.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\OrderType.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsAdjustments.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.XG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInventory.YG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryGiftCards.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryGiftCards.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryHeader.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryLines.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryLines.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryLines.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryLines.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryLines.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryLines.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryTax.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoiceHistoryTax.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoicingTendered.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoicingTendered.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoicingTendered.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsInvoicingTendered.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsLabels.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsLabels.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsLabels.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsLabels.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsLabels.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsLabels.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsPreferences.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PartsPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PriceBooks.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PSPOrderXML.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PSPOrderXML.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PSPOrderXML.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderDetail.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\PurchaseOrderHeader.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\ReceivingDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\ReceivingDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\ReceivingHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\ReceivingHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\RetailPolling.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\RetailPolling.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SavedInvoiceHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SavedInvoiceLines.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SavedInvoiceLines.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SavedInvoiceLines.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SavedInvoiceLines.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\ShipMethod.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\ShipVendor.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderDetail.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SpecialOrderHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SuggestedOrders.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SupplierReturnsDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SupplierReturnsDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SupplierReturnsDetail.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SupplierReturnsDetail.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SupplierReturnsHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SupplierReturnsHeader.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\SupplierReturnsHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\Suppliers.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\Suppliers.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\Suppliers.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Parts\Suppliers.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoiceJE.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoiceJE.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoiceJE.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoiceJE.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoiceJE.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoiceJE.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG7 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.XG8 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG7 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\ApInvoices.YG8 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoicesTax.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APInvoicesTax.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\APPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\VendorJE.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\VendorJE.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\Vendors.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\Vendors.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\Vendors.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Payables\Vendors.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\AROpenItems.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\ARPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\ARPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Receivables\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalItems.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalPreferences.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalType.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalType.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalType.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalType.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalType.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\RentalType.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.XG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Rental\Reservation.YG6 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\AdjustmentInvoice.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\AdjustmentInvoice.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\AdjustmentInvoiceLine.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\AdjustmentInvoiceLine.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealAdjustments.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealFinanceExt.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealFinanceExt.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealFinancing.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealFinancing.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealHeader.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealTax.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealTax.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealTrade.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealTrade.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnit.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnit.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitExt.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitExt.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitLabor.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitLabor.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitOptions.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitOptions.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitParts.db Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\DealUnitParts.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\FinanceTaxTemplates.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\FinanceTaxTemplates.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\FinanceTaxTemplates.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\FinanceTaxTemplates.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceFormulas.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceFormulas.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceFormulas.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesCritical.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesCritical.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesCritical.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesCritical.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\InsuranceRatesHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\LienHolders.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\LienHolders.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\LienHolders.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\LienHolders.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitHeader.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitLaborDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitLaborDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitLaborDetail.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitLaborDetail.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitOptions.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitOptions.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitPartsDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitPartsDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitPartsDetail.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitPartsDetail.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\MajorUnitSalesCategories.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OptionHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OptionPartsDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OptionPartsDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OtherInsuranceTypes.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OtherInsuranceTypes.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OtherInsuranceTypes.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OtherInsuranceTypes.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OtherInsuranceTypes.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\OtherInsuranceTypes.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\PackageComboHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesComparison.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesComparison.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesLicFees.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesLicFees.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesPreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesPreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesPreferencesExt.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\SalesPreferencesExt.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\UnitTaxTemplates.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\UnitTaxTemplates.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\UnitTaxTemplates.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Sales\UnitTaxTemplates.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\LaborSessions.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\LaborSessions.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\LaborSessions.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\LaborSessions.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\LaborSessions.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\PDOXUSRS.LCK Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROCashier.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROCashier.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROCashier.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROHeader.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROJobs.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROJobs.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROJobs.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROJobs.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROJobs.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROLabor.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROLabor.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROParts.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROParts.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROSublet.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROSublet.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROTax.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROTax.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.XG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.XG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.YG4 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROUnits.YG5 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROWarranty.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROWarranty.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROWarranty.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ROWarranty.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ServicePreferences.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ServicePreferences.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\ServicePreferences.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.XG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.YG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobHeader.YG3 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobLabor.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobLabor.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobParts.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\StdJobParts.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\TechnicianDetail.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\TechnicianDetail.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.DB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.MB Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.PX Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.XG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.XG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.XG2 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.YG0 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.YG1 Object is locked skipped
D:\Program Files\Bell & Howell\Belmont\Service\WarrantyClaimHeader.YG2 Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 2:36:29 PM, on 5/30/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\Documents and Settings\helpdesk\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bell & Howell\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\system32\lserver.exe
\belmont\BHDMS\Bellhowell.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\VERITAS\Backup Exec\NT\BkupExec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\ZybisAccounting.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Bell & Howell\TurboCon.exe
D:\Program Files\Bell & Howell\Zybis.exe
D:\Program Files\Bell & Howell\ZybisAccounting.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [] winupdate[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [] winupdate[1].exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: del_lock_net.bat
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\helpdesk\windows\system32\mswsock.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F607DDD1-B130-46AA-8E8E-0FC6C1B7FE71}: NameServer = 166.102.165.11,166.102.165.13
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Experience Lookup Service (AeLookupSvc) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Bell & Howell DMS Licensing - GLOBEtrotter Software Inc. - D:\Program Files\Bell & Howell\lmgrd.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\services.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Resultant Set of Policy Provider (RSoPProv) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\RSoPProv.exe (file missing)
O23 - Service: Special Administration Console Helper (sacsvr) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\Documents and Settings\helpdesk\WINDOWS\System32\svchost.exe (file missing)

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 30 May 2007 - 03:48 PM

Its not looking too good,please do the following:

Download\unzip SilentRunners.vbs to your desktop:
http://www.silentrunners.org/Silent%20Runners.vbs.
Run Silent Runner's by double clicking the 'SilentRunners.vbs' icon.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE*
If you receive any warning message about scripts,please choose to allow the script to run.

**************************

Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.

*NOTE*
It may take more than one reply to post the whole winpfind.txt.
Posted Image
Posted Image

#12 krajewskil

krajewskil
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 31 May 2007 - 08:17 AM

Hmm. Not good is . . . not good. Here's the Silent Runners and winpfind results.
--LJK


"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows Server 2003 (interpreted as Windows XP)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PRONoMgrWired" = "c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" ["Intel® Corporation"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"VxTaskbarMgr" = "C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe" ["Symantec Corporation"]
"(Default)" = "winupdate[1].exe" [file not found]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"vptray" = "C:\PROGRA~1\SAV\VPTray.exe" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\(Default) = "%IEHARDENADMIN_BASE_DESC%"
\StubPath = "C:\WINDOWS\system32\rundll32.exe iesetup.dll,IEHardenAdmin" [MS]
{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\(Default) = "%IEHARDENUSER_DESC%"
\StubPath = "C:\WINDOWS\system32\rundll32.exe iesetup.dll,IEHardenUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "hticons.dll" [file not found]
"{4648F940-EFE3-4BAB-9211-3BE45CD5029D}" = "VSSShellExt"
-> {HKLM...CLSID} = "VSSShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\vssui.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{C5AE6EAF-C8C3-4CFE-97D5-F533E7D36ACA}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "W on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{0054B56C-F35C-4ADF-934C-F38647DC0482}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "U on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{026F5154-A39C-4765-900A-D47ED07F5919}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "S on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{44814EFA-3349-4576-92C5-E159B258336F}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "M on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{1F5B7BCC-5278-497D-9D32-AB6081757618}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "F on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{AE7BA633-D6CA-490E-97E6-CFD941F5D4D1}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "D on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{0CCC2EF9-7255-4DFF-AE95-83298C030CD2}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "C on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{22AAD69A-A257-42C7-8559-A304C04D00B0}" = "Terminal Server Redirected Drive"
-> {HKCU...CLSID} = "A on HGONET-LAPTOP"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ShowSuperHidden" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoActiveDesktop" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"disablecad" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "helpdesk" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
<<!>> "del_lock_net.bat" [null data]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 15


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_08"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_08"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Experience Lookup Service, AeLookupSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\aelupsvc.dll" [MS]}
Backup Exec Agent Browser, BackupExecAgentBrowser, ""C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe"" ["Symantec Corporation"]
Backup Exec Device & Media Service, BackupExecDeviceMediaService, ""C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe"" ["Symantec Corporation"]
Backup Exec Job Engine, BackupExecJobEngine, ""C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe"" ["Symantec Corporation"]
Backup Exec Remote Agent for Windows Servers, BackupExecAgentAccelerator, ""C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe"" ["Symantec Corporation"]
Backup Exec Server, BackupExecRPCService, ""C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe"" ["Symantec Corporation"]
Bell & Howell DMS Licensing, Bell & Howell DMS Licensing, "D:\Program Files\Bell & Howell\lmgrd.exe" ["GLOBEtrotter Software Inc."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
Intel PDS, Intel PDS, "C:\WINDOWS\system32\CBA\pds.exe" ["LANDesk Software Ltd."]
MSSQL$BKUPEXEC, MSSQL$BKUPEXEC, "C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe -sBKUPEXEC" [MS]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\SAV\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\SAV\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Terminal Server Licensing, TermServLicensing, "C:\WINDOWS\system32\lserver.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
pcAnywhere Remote Printing\Driver = "awmon.dll" ["Symantec Corporation"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 17 seconds.
---------- (total run time: 64 seconds)


==============================================================


WinPFind logfile created on: 5/31/2007 8:59:30 AM
WinPFind by OldTimer - v2.0.3 Folder = C:\Documents and Settings\helpdesk\Desktop\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows Server 2003 Service Pack 1 | Version: 5.2.3790
Internet Explorer Version: 7.0.5730.11

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

2.00 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.67% Memory free
3.85 Gb Paging File | 3.41 Gb Available in Paging File | 88.59% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12.00 Gb Total Space | 5.46 Gb Free Space | 45.48% Space Free
Drive D: | 55.65 Gb Total Space | 42.07 Gb Free Space | 75.60% Space Free
Drive E: | 368.28 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
F: Drive not present or media not loaded

Computer Name: BELMONT
Current User Name: helpdesk
Logged in as Administrator.
Current Boot Mode: Normal

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

(File not found)
C:\Documents and Settings\helpdesk\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe (Roxio)
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe (Roxio)
C:\Program Files\SAV\DefWatch.exe (Symantec Corporation)
C:\Program Files\SAV\Rtvscan.exe (Symantec Corporation)
C:\Program Files\SAV\VPTray.exe (Symantec Corporation)
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe (Symantec Corporation)
C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe (Symantec Corporation)
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe (Symantec Corporation)
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe (Symantec Corporation)
C:\Program Files\VERITAS\Backup Exec\NT\BkupExec.exe (Symantec Corporation)
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe (Symantec Corporation)
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe (Symantec Corporation)
C:\WINDOWS\system32\BRSS01A.EXE (brother Industries Ltd)
C:\WINDOWS\system32\BRSVC01A.EXE (brother Industries Ltd)
C:\WINDOWS\system32\CBA\pds.exe (LANDesk Software Ltd.)
D:\Program Files\Bell & Howell\Lmgrd.exe (GLOBEtrotter Software Inc.)
D:\Program Files\Bell & Howell\TurboCon.exe ()
D:\Program Files\Bell & Howell\TurboCon.exe ()
D:\Program Files\Bell & Howell\Zybis.exe (ADP Lightspeed)
D:\Program Files\Bell & Howell\Zybis.exe (ADP Lightspeed)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(Apache2) Apache2 [Win32_Own | Disabled | Stopped]
= C:\WINDOWS\xampp\apache\bin\apache.exe (Apache Software Foundation)

(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Stopped]
= C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)

(awhost32) pcAnywhere Host Service [Win32_Own | Auto | Stopped]
= C:\Program Files\Symantec\pcAnywhere\awhost32.exe (Symantec Corporation)

(BackupExecAgentAccelerator) Backup Exec Remote Agent for Windows Servers [Win32_Own | Auto | Running]
= C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe (Symantec Corporation)

(BackupExecAgentBrowser) Backup Exec Agent Browser [Win32_Own | Auto | Running]
= C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe (Symantec Corporation)

(BackupExecDeviceMediaService) Backup Exec Device & Media Service [Win32_Own | Auto | Running]
= C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe (Symantec Corporation)

(BackupExecJobEngine) Backup Exec Job Engine [Win32_Own | Auto | Running]
= C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe (Symantec Corporation)

(BackupExecRPCService) Backup Exec Server [Win32_Own | Auto | Running]
= C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe (Symantec Corporation)

(Bell & Howell DMS Licensing) Bell & Howell DMS Licensing [Win32_Own | Auto | Running]
= D:\Program Files\Bell & Howell\Lmgrd.exe (GLOBEtrotter Software Inc.)

(Brother XP spl Service) BrSplService [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\BRSVC01A.EXE (brother Industries Ltd)

(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)

(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (Symantec Corporation)

(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)

(DefWatch) Symantec AntiVirus Definition Watcher [Win32_Own | Auto | Running]
= C:\Program Files\SAV\DefWatch.exe (Symantec Corporation)

(Intel PDS) Intel PDS [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\CBA\pds.exe (LANDesk Software Ltd.)

(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped]
= c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe (Intel® Corporation)

(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)

(Symantec AntiVirus) Symantec AntiVirus [Win32_Own | Auto | Running]
= C:\Program Files\SAV\Rtvscan.exe (Symantec Corporation)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
= winupdate[1].exe (File not found)
AdaptecDirectCD = C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe (Roxio)
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRONoMgrWired = c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
vptray = C:\Program Files\SAV\VPTray.exe (Symantec Corporation)
VxTaskbarMgr = C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe (Symantec Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
= winupdate[1].exe (File not found)


< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\del_lock_net.bat ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
= C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

< User Startup Folder = C:\Documents and Settings\helpdesk\Start Menu\Programs\Startup >
C:\Documents and Settings\helpdesk\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<




>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
DllName = C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
DllName = C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 734 bytes | Modified Date: 3/25/2005 9:00:00 AM)
127.0.0.1 localhost

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = My Current Home Page
Source = About:Home
SubscribedURL = About:Home

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = res://shdoclc.dll/softAdmin.htm
Local Page = C:\WINDOWS\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = res://shdoclc.dll/softAdmin.htm


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.) )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKLM Internet Explorer ToolBars <<<<<

>>>>> HKCU Internet Explorer ToolBars <<<<<

>>>>> HKLM Internet Explorer Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC} - Java Plug-in 1.5.0_08 ( HKLM C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC} - Java Plug-in 1.5.0_08 ( HKCU C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.) )

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{5E44E225-A408-11CF-B581-008029601108} = Adaptec DirectCD Shell Extension ( HKLM = C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Shellex.dll (Roxio) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = hticons.dll (File not found) )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )
{B8323370-FF27-11D2-97B6-204C4F4F5020} = SmartFTP Shell Extension DLL ( HKLM = C:\Program Files\SmartFTP Client 2.0\smarthook.dll (SmartFTP) )
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = VpshellEx Class ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\LDVPMenu]
@ = {BDA77241-42F6-11d0-85E2-00AA001FE28C} ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu]
@ = {BDA77241-42F6-11d0-85E2-00AA001FE28C} ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
ShowSuperHidden = 1
NoActiveDesktop = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
disablecad = 0
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
scforceoption = 0
shutdownwithoutlogon = 0
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 149

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\system32\cmd.exe (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
%SystemRoot%\system32
%SystemRoot%
%SystemRoot%\System32\Wbem
C:\Program Files\Common Files\Adaptec Shared\System
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]

>>>>> User Agent Post Platform <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> Reg Data - Key not found
htmlfile [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe C:\WINDOWS\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
StubPath = %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
StubPath = %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
StubPath = C:\WINDOWS\system32\ieudinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EB1B1B7-16F7-4D9D-A53C-B24A8AD7B6A3}] ( Intel® PRO/1000 MT Network Connection )
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{51E4757A-619F-407A-8D4C-E9F875010938}] ( Intel® PRO/100 S Server Adapter )
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F607DDD1-B130-46AA-8E8E-0FC6C1B7FE71}] ( Intel® PRO/1000 MT Network Connection )
DefaultGateway = 10.0.0.100;
DhcpServer = 255.255.255.255
Domain =
EnableDHCP = 0
IPAddress = 10.0.0.165;
IPAutoconfigurationAddress = 0.0.0.0
NameServer = 166.102.165.11,166.102.165.13
SubnetMask = 255.255.255.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - 1 = Local intranet
file - 3 = Internet
ftp - 3 = Internet
http - 3 = Internet
https - 3 = Internet
shell - 0 = Computer

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0B79F48A-E8D6-11DB-9283-E25056D89593}\DownloadInformation]
CODEBASE = http://support.f-secure.com/ols/fscax.cab
INF = C:\WINDOWS\Downloaded Program Files\fscax.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}\DownloadInformation]
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
INF = C:\WINDOWS\Downloaded Program Files\kavwebscan.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}\DownloadInformation]
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab
INF = C:\WINDOWS\Downloaded Program Files\oscan8.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F}\DownloadInformation]
CODEBASE = http://216.249.24.62/code/iPIX-ImageWell-ipix.cab

»»»»»»»»»»»»»»»»»»»» Files / Folders Created Within 30 Days »»»»»»»»»»»»»

C:\produses [Folder | Created Date = 5/6/2007 2:45:22 PM | Attr = ]
C:\SDFix [Folder | Created Date = 5/24/2007 8:08:54 AM | Attr = ]
C:\winpfind [Folder | Created Date = 5/31/2007 7:59:12 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic [Folder | Created Date = 5/23/2007 1:12:19 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab [Folder | Created Date = 5/30/2007 12:08:19 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [Folder | Created Date = 5/23/2007 1:43:02 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Yahoo! [Folder | Created Date = 5/23/2007 5:19:29 AM | Attr = ]
C:\Documents and Settings\helpdesk\Application Data\Macromedia [Folder | Created Date = 5/30/2007 12:03:06 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\SmartFTP Client.lnk [Ver = | Size = 2243 bytes | Created Date = 5/15/2007 3:38:24 PM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\kaspersky.html [Ver = | Size = 352630 bytes | Created Date = 5/30/2007 1:15:09 PM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\Silent Runners.vbs [Ver = | Size = 347253 bytes | Created Date = 5/31/2007 7:41:49 AM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\VirusTotal - smss.mht [Ver = | Size = 48785 bytes | Created Date = 5/30/2007 1:36:02 PM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\VirusTotal-mswsock.mht [Ver = | Size = 48788 bytes | Created Date = 5/30/2007 1:35:40 PM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\WinPFind [Folder | Created Date = 5/31/2007 7:59:19 AM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Created Date = 5/31/2007 7:41:55 AM | Attr = ]
C:\WINDOWS\$NtUninstallKB927891$ [Folder | Created Date = 5/24/2007 2:00:15 AM | Attr = H ]
C:\WINDOWS\BDOSCAN8 [Folder | Created Date = 5/23/2007 1:27:35 PM | Attr = ]
C:\WINDOWS\LastGood [Folder | Created Date = 5/30/2007 12:08:17 PM | Attr = ]
C:\WINDOWS\Minidump [Folder | Created Date = 5/23/2007 11:47:38 AM | Attr = ]
C:\WINDOWS\xampp [Folder | Created Date = 5/2/2007 1:24:28 PM | Attr = ]
C:\WINDOWS\System32\Kaspersky Lab [Folder | Created Date = 5/30/2007 12:08:18 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files / Folders Modified Within 30 Days »»»»»»»»»»»»»

C:\Documents and Settings [Folder | Modified Date = 5/21/2007 5:27:06 PM | Attr = ]
C:\flexlm [Folder | Modified Date = 5/30/2007 10:00:48 AM | Attr = ]
C:\produses [Folder | Modified Date = 5/31/2007 3:15:34 AM | Attr = ]
C:\Program Files [Folder | Modified Date = 5/23/2007 4:09:56 PM | Attr = R ]
C:\RECYCLER [Folder | Modified Date = 5/30/2007 1:04:48 PM | Attr = HS]
C:\SDFix [Folder | Modified Date = 5/14/2007 5:25:42 AM | Attr = ]
C:\WINDOWS [Folder | Modified Date = 5/30/2007 1:08:18 PM | Attr = ]
C:\winpfind [Folder | Modified Date = 5/31/2007 8:59:14 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic [Folder | Modified Date = 5/23/2007 2:12:20 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab [Folder | Modified Date = 5/30/2007 1:08:20 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [Folder | Modified Date = 5/23/2007 3:26:00 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Yahoo! [Folder | Modified Date = 5/23/2007 6:19:30 AM | Attr = ]
C:\Documents and Settings\helpdesk\Application Data\Macromedia [Folder | Modified Date = 5/30/2007 1:03:08 PM | Attr = ]
C:\Documents and Settings\helpdesk\Application Data\Microsoft [Folder | Modified Date = 5/30/2007 1:08:00 PM | Attr = S]
C:\Documents and Settings\helpdesk\Local Settings\Application Data\IconCache.db [Ver = | Size = 2253000 bytes | Modified Date = 5/31/2007 8:45:52 AM | Attr = H ]
C:\Documents and Settings\helpdesk\Local Settings\Application Data\Microsoft [Folder | Modified Date = 5/30/2007 8:30:56 AM | Attr = S]
C:\Documents and Settings\helpdesk\My Documents\desktop.ini [Ver = | Size = 79 bytes | Modified Date = 5/30/2007 8:30:54 AM | Attr = HS]
C:\Documents and Settings\All Users\Desktop\SmartFTP Client.lnk [Ver = | Size = 2243 bytes | Modified Date = 5/24/2007 7:20:46 AM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\kaspersky.html [Ver = | Size = 352630 bytes | Modified Date = 5/30/2007 2:15:10 PM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\Silent Runners.vbs [Ver = | Size = 347253 bytes | Modified Date = 5/31/2007 8:36:48 AM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\VirusTotal - smss.mht [Ver = | Size = 48785 bytes | Modified Date = 5/30/2007 2:36:04 PM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\VirusTotal-mswsock.mht [Ver = | Size = 48788 bytes | Modified Date = 5/30/2007 2:35:42 PM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\WinPFind [Folder | Modified Date = 5/31/2007 8:59:20 AM | Attr = ]
C:\Documents and Settings\helpdesk\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Modified Date = 5/31/2007 8:36:48 AM | Attr = ]
C:\Program Files\Common Files\Symantec Shared [Folder | Modified Date = 5/15/2007 1:26:18 PM | Attr = ]
C:\WINDOWS\$hf_mig$ [Folder | Modified Date = 5/24/2007 3:00:16 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB927891$ [Folder | Modified Date = 5/24/2007 3:00:16 AM | Attr = H ]
C:\WINDOWS\BDOSCAN8 [Folder | Modified Date = 5/23/2007 2:57:46 PM | Attr = ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 5/30/2007 10:00:42 AM | Attr = S]
C:\WINDOWS\BRWMARK.INI [Ver = | Size = 410 bytes | Modified Date = 5/30/2007 7:17:08 PM | Attr = ]
C:\WINDOWS\Config [Folder | Modified Date = 5/3/2007 10:09:42 PM | Attr = ]
C:\WINDOWS\Downloaded Program Files [Folder | Modified Date = 5/30/2007 1:08:20 PM | Attr = S]
C:\WINDOWS\imsins.BAK [Ver = | Size = 3376 bytes | Modified Date = 5/9/2007 3:01:02 AM | Attr = ]
C:\WINDOWS\inf [Folder | Modified Date = 5/30/2007 1:08:20 PM | Attr = ]
C:\WINDOWS\Installer [Folder | Modified Date = 5/15/2007 4:38:26 PM | Attr = HS]
C:\WINDOWS\LastGood [Folder | Modified Date = 5/30/2007 1:08:18 PM | Attr = ]
C:\WINDOWS\MEMORY.DMP [Ver = | Size = 107720704 bytes | Modified Date = 5/23/2007 12:47:36 PM | Attr = ]
C:\WINDOWS\Minidump [Folder | Modified Date = 5/23/2007 12:47:40 PM | Attr = ]
C:\WINDOWS\repair [Folder | Modified Date = 5/30/2007 10:52:22 PM | Attr = ]
C:\WINDOWS\system32 [Folder | Modified Date = 5/30/2007 10:54:28 PM | Attr = RHS]
C:\WINDOWS\Temp [Folder | Modified Date = 5/31/2007 1:40:26 AM | Attr = ]
C:\WINDOWS\xampp [Folder | Modified Date = 5/15/2007 6:30:08 AM | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 5/30/2007 1:13:18 PM | Attr = ]
C:\WINDOWS\System32\dllcache [Folder | Modified Date = 5/24/2007 3:07:12 AM | Attr = RHS]
C:\WINDOWS\System32\drivers [Folder | Modified Date = 5/23/2007 3:59:44 PM | Attr = ]
C:\WINDOWS\System32\Kaspersky Lab [Folder | Modified Date = 5/30/2007 1:08:20 PM | Attr = ]
C:\WINDOWS\System32\LServer [Folder | Modified Date = 5/30/2007 10:00:52 AM | Attr = ]
C:\WINDOWS\System32\perfc009.dat [Ver = | Size = 63270 bytes | Modified Date = 5/30/2007 2:40:12 PM | Attr = ]
C:\WINDOWS\System32\perfh009.dat [Ver = | Size = 426122 bytes | Modified Date = 5/30/2007 2:40:12 PM | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 496206 bytes | Modified Date = 5/30/2007 2:40:12 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
File scan skipped for file C:\WINDOWS\MEMORY.DMP. File size too big (107720704 bytes)
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[USERTRUST , ]C:\WINDOWS\System32\schema.ini ()
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()

< End of report >

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 12 June 2007 - 01:39 AM

Click Start/Run,type regedit and click OK.
Navigate to and delete these values in bold text:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
= winupdate[1].exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
= winupdate[1].exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "winupdate[1].exe"

Had someone reboot the server into safe mode & tired to remove the "file missing entries".

Those services need stopping first,but do not delete any.
Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find each one of those service's.
Double click on each [one at a time].
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type' to 'Disabled'.
Now press Apply and then Ok.

When you've done,restart the machine,then post a new Hijackthis log into your next reply.
Let me know how its going now.

Edited by RichieUK, 12 June 2007 - 01:39 AM.

Posted Image
Posted Image

#14 krajewskil

krajewskil
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 20 June 2007 - 03:38 PM

Hi Richie,

Sorry it's taken so long to get back to you. Here's the status:

Regaurding the "missing file"/system services, almost all of those are required. I disabled the ones I could and made a list of the ones I didn't. I'd include that list, but at the moment I think the point is moot.

During the process, someone got back onto the server, reinstalled Yahoo Messanger, Perfect Keylogger, and BitTorrent which was downloading ProRat2. I also found an earlier version of ProRat on the Desktop along with a couple of mass e-mailers and some other hack tools. I've uninstalled the above programs, had users change their passwords, and blocked all outside access to the server at their router. (That'll suck for the company that maintains their software. Oh well.)

Given this latest turn of events, it looks like the best course of action is to start at square one with the standard virus/spyware scans, etc. Any thoughts on your end?

--Leo

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 20 June 2007 - 05:08 PM

it looks like the best course of action is to start at square one with the standard virus/spyware scans, etc

Sounds good to me :thumbsup:

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

-----------------------------------------------

Run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Post the Activescan report in your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users