adware.ezula issue, hijack this log posted

mcseadogs · 18th November 2007

Hello again,
This forum has been a great help with one infected system. We have another that is less critical but has a potentially serious spyware infection. This is showing up as adware.ezula in the Symantec antivirus scan but we can't get rid of it via Symantec. Here is the hijack this log as of this afternoon:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:34 PM, on 11/18/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\scdeybvw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\System32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\rhoxfmcr.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/port...redSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/port.../mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = 65GW2003.com
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12883 bytes

Additional info: this is a windows 2003 server R2 sp2 with terminal services, all functionality appears correct with the exception of the finding of this adware and erratic internet explorer behavior. The system is fully backed up using symantec backup exec and we have removed other virus and spyware that was infecting this system along the same time using symantec antivirus and spybot. Thanks for the help!

**noahdfear** · 18th November 2007

Ughhh ......... you've got one of the latest nasties, and it's a PITA. Lets see what we can do with it.

Again, where servers are concerned, I recommend a fresh image in the event of system failure. Most of these tools have little testing in server environments, so we can't always be sure of the outcome. Be sure to disconnect all client sessions and exit non-essential programs.

Uninstall SpywareBot. It's a rogue antispyware application.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Reboot.

Download VundoFix by Atribune, saving it to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then, download ComboFix by sUBs from here, saving the file to your desktop.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
When finished, it will open a log for you. Post that log, the C:\VundoFix.txt log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

mcseadogs · 19th November 2007

ComboFix 07-11-08.3 - administrator 2007-11-19 10:43:26.1 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.3229 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.65GW2003\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\65gsupport\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Administrator.65GW2003\Favorites\Online Security Guide.lnk
C:\Documents and Settings\hairfielda\Favorites\Online Security Guide.lnk
C:\Documents and Settings\hairfieldm\Favorites\Online Security Guide.lnk
C:\Documents and Settings\spitzj\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aocifdjv.dll
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pcmssnen.dllbox
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\qstwa.bak2
C:\WINDOWS\system32\qstwa.ini
C:\WINDOWS\system32\qstwa.ini2
C:\WINDOWS\system32\qstwa.tmp
C:\WINDOWS\system32\vjdficoa.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.

2007-11-19 10:43 145,984 --a------ C:\WINDOWS\system32\pcmssnen.dll
2007-11-19 10:42 <DIR> d-------- C:\Temp\combfix
2007-11-19 10:42 145,984 --a------ C:\WINDOWS\system32\rljqnpit.dll
2007-11-19 10:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-19 10:40 71,232 --a------ C:\WINDOWS\system32\rptphqtm.exe
2007-11-19 10:30 71,232 --a------ C:\WINDOWS\system32\udvndlir.exe
2007-11-19 10:28 <DIR> d-------- C:\VundoFix Backups
2007-11-19 10:27 118,272 --a------ C:\Documents and Settings\Administrator.65GW2003\VundoFix.exe
2007-11-19 08:53 85,056 --a------ C:\WINDOWS\system32\alfehlaa.dll
2007-11-19 08:53 71,232 --a------ C:\WINDOWS\system32\rulqrxij.exe
2007-11-19 08:50 71,232 --a------ C:\WINDOWS\system32\pipsjnel.exe
2007-11-19 08:15 71,232 --a------ C:\WINDOWS\system32\idyvykee.exe
2007-11-19 07:57 71,232 --a------ C:\WINDOWS\system32\ybphpewf.exe
2007-11-18 19:59 71,232 --a------ C:\WINDOWS\system32\rmdhtmnd.exe
2007-11-18 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-18 13:16 71,232 --a------ C:\WINDOWS\system32\rkksgdus.exe
2007-11-17 19:59 71,232 --a------ C:\WINDOWS\system32\uxgmonco.exe
2007-11-16 19:59 71,232 --a------ C:\WINDOWS\system32\bwbayumi.exe
2007-11-15 19:59 71,232 --a------ C:\WINDOWS\system32\rdlkaqnk.exe
2007-11-15 07:56 71,232 --a------ C:\WINDOWS\system32\iucgtedb.exe
2007-11-14 19:56 71,232 --a------ C:\WINDOWS\system32\fjtnxgnc.exe
2007-11-14 16:53 71,232 --a------ C:\WINDOWS\system32\gbilfyeh.exe
2007-11-14 16:22 71,232 --a------ C:\WINDOWS\system32\cnyefinv.exe
2007-11-14 15:21 71,232 --a------ C:\WINDOWS\system32\tttpohgh.exe
2007-11-13 09:25 71,232 --a------ C:\WINDOWS\system32\nerkwrfy.exe
2007-11-13 08:22 <DIR> d-------- C:\Documents and Settings\o'brienp\WINDOWS
2007-11-12 09:26 71,232 --a------ C:\WINDOWS\system32\wrxolinr.exe
2007-11-12 09:19 71,232 --a------ C:\WINDOWS\system32\qmkrkypk.exe
2007-11-12 09:10 71,232 --a------ C:\WINDOWS\system32\oyksensg.exe
2007-11-12 09:06 71,232 --a------ C:\WINDOWS\system32\meiuvntb.exe
2007-11-12 09:03 71,232 --a------ C:\WINDOWS\system32\ilqelqim.exe
2007-11-12 09:01 71,232 --a------ C:\WINDOWS\system32\bttmmtrf.exe
2007-11-09 08:04 71,232 --a------ C:\WINDOWS\system32\kjluojcv.exe
2007-11-08 18:20 71,232 --a------ C:\WINDOWS\system32\aqwqlkvi.exe
2007-11-08 14:17 71,232 --a------ C:\WINDOWS\system32\jdpoukfa.exe
2007-11-08 13:37 <DIR> d-------- C:\Documents and Settings\65gspam\WINDOWS
2007-11-08 13:31 71,232 --a------ C:\WINDOWS\system32\psblqyul.exe
2007-11-08 06:58 71,232 --a------ C:\WINDOWS\system32\xpaiagtx.exe
2007-11-07 20:57 71,232 --a------ C:\WINDOWS\system32\exrtorir.exe
2007-11-07 20:45 71,232 --a------ C:\WINDOWS\system32\kpnycsdr.exe
2007-11-07 19:55 71,232 --a------ C:\WINDOWS\system32\ubnpubsn.exe
2007-11-07 19:11 71,232 --a------ C:\WINDOWS\system32\tvgxjffu.exe
2007-11-07 19:10 8,706,680 --a------ C:\Temp\Windows-KB890830-V1.34.exe
2007-11-07 18:10 71,232 --a------ C:\WINDOWS\system32\btglcsyy.exe
2007-11-07 17:53 71,232 --a------ C:\WINDOWS\system32\scdeybvw.exe
2007-11-07 16:47 <DIR> d-------- C:\Temp\symantec
2007-11-07 14:52 71,232 --a------ C:\WINDOWS\system32\oyeoidoj.exe
2007-11-07 13:43 71,232 --a------ C:\WINDOWS\system32\mwarisdc.exe
2007-11-07 13:33 71,232 --a------ C:\WINDOWS\system32\qssqycex.exe
2007-11-07 13:33 71,232 --a------ C:\WINDOWS\system32\pctlyrck.exe
2007-11-07 12:36 71,232 --a------ C:\WINDOWS\system32\ptrefreb.exe
2007-11-07 11:41 <DIR> d-------- C:\Documents and Settings\atlantalocaldispatch\WINDOWS
2007-11-07 11:19 71,232 --a------ C:\WINDOWS\system32\bqjieohr.exe
2007-11-07 10:08 71,232 --a------ C:\WINDOWS\system32\tnsygsok.exe
2007-11-07 09:00 71,232 --a------ C:\WINDOWS\system32\dtppnphn.exe
2007-11-07 08:56 71,232 --a------ C:\WINDOWS\system32\ocnlrxrd.exe
2007-11-07 08:56 22,016 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-07 08:56 22,016 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-11-06 13:57 71,232 --a------ C:\WINDOWS\system32\sawdptix.exe
2007-11-06 08:24 87,104 --a------ C:\WINDOWS\system32\xjpynghw.dll
2007-11-05 08:12 85,568 --a------ C:\WINDOWS\system32\cwntlius.dll
2007-11-04 13:20 86,080 --a------ C:\WINDOWS\system32\uwwixadt.dll
2007-11-04 13:13 <DIR> d-------- C:\Temp\dup1_tmp
2007-11-04 12:50 86,080 --a------ C:\WINDOWS\system32\mdbjcsdu.dll
2007-11-04 12:44 <DIR> d-------- C:\Temp\PE1850_BIOS_WIN_A06
2007-11-04 12:44 6,656 --a------ C:\WINDOWS\system32\BiosMsg.dll
2007-11-04 12:42 86,080 --a------ C:\WINDOWS\system32\wjwiubjs.dll
2007-11-04 12:21 86,080 --a------ C:\WINDOWS\system32\plfhggnj.dll
2007-11-04 11:59 86,080 --a------ C:\WINDOWS\system32\govytbts.dll
2007-11-04 11:42 <DIR> d-------- C:\Temp\Dell
2007-11-04 11:42 86,016 --a------ C:\WINDOWS\system32\DellSPMsg.dll
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\coakleya\WINDOWS
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\campbelle\WINDOWS
2007-11-02 08:30 <DIR> d-------- C:\Documents and Settings\hughesbi\WINDOWS
2007-11-01 15:42 <DIR> d-------- C:\Documents and Settings\beckerc\WINDOWS
2007-10-29 13:27 <DIR> d-------- C:\Documents and Settings\atcwvedi\WINDOWS
2007-10-24 16:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-24 16:29 255 --------- C:\ietempdel.bat
2007-10-21 17:16 <DIR> d-------- C:\Temp\windows software removal tool
2007-10-21 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-21 11:53 <DIR> d-------- C:\Documents and Settings\Administrator.65GW2003\Application Data\SUPERAntiSpyware.com
2007-10-21 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 09:50 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-10-21 09:49 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-20 12:50 <DIR> d---s---- C:\Documents and Settings\65gsupport\UserData
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\od2
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\ib1
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\cp1
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\bo2
2007-10-20 12:43 <DIR> d-------- C:\WINDOWS\system32\ap1
2007-10-19 10:20 <DIR> d-------- C:\Documents and Settings\estesn\WINDOWS
2007-10-19 10:20 <DIR> d-------- C:\Documents and Settings\donaldsong\WINDOWS
2007-10-19 10:20 <DIR> d-------- C:\Documents and Settings\booneg\WINDOWS
2007-10-19 10:19 <DIR> d-------- C:\Documents and Settings\willeyr\WINDOWS
2007-10-19 10:19 <DIR> d-------- C:\Documents and Settings\davismo\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 15:49 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-04 16:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 16:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-30 22:09 --------- d-----w C:\Program Files\Solarwinds
2007-09-11 12:17 914 ------w C:\Documents and Settings\spitzj\SDM-2.3.2-1811-c181x-advipservicesk9-mz.124-6.T7.bin
2007-09-06 20:32 1,150 ------w C:\Documents and Settings\spitzj\SDM-2.3.1-1811-c181x-adventerprisek9-mz.124-6.T2.bin
2007-09-05 21:27 726 ------w C:\Documents and Settings\spitzj\SDM-2.2-1811-c181x-advipservicesk9-mz.124-2.XA.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03AD7A3A-3E67-4D64-8EFE-4317E909A461}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A42CB8-0D3E-45A9-ADFF-2AE544967C47}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D77A72C-0FA8-4A3C-B537-83A2A422644B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DFB38C8-6986-4015-A66D-E34D5277A00A}]
C:\Program Files\Windows NT\mevoxud4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320403C7-EAEA-493E-A64E-6B40D1AE1B70}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{405182E5-6B8E-4518-058C-1FB7E488191F}]
C:\Program Files\WindowsUpdate\quharefow.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51A1820E-A937-4F00-974D-926A912D31EE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55E52BAE-BB19-4476-91A0-F9545AD662BA}]
C:\Program Files\Windows NT\mevoxud83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{571E9CE8-22CB-4436-A8F1-25B05DA73D26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CD19969-E60B-4FAC-B15B-388E94A0C84F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D7043D-106A-4F87-948D-CA2A01996550}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78B66DF6-32BA-4FD5-89E0-E67F996627ED}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{958EE684-C2B5-4E4C-8B03-03231F0BA4DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95ED77C1-A655-464A-8666-81353927343C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A842DAFC-FB78-4E50-AD07-308304B61F37}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-19 10:43 145984 --a------ C:\WINDOWS\system32\pcmssnen.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9D5AFAB-2A60-4572-A81A-618743CFC9D3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA70BA15-4AC5-405E-B405-56C294DB01D9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0F1141D-0FBA-4753-8FD5-A23CC3295A0C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA034E38-D5CF-4A6E-A216-9DB0185F6CF6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB2644D1-6428-4E1E-9915-3DAD71000512}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pcmssnen.dll [2007-11-19 10:43 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Acrobat Assistant 7.0"="E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"SNM"="E:\Program Files\SpyNoMore\SNM.exe" []
"602fd3b5"="C:\WINDOWS\system32\alfehlaa.dll" [2007-11-19 08:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
"<NO NAME>"=
"O2K3ProfileSettings"="E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" /r C:\Policies\o2k3ProfileSettings.ops /q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-16 09:25:39]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-02 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"ShowSuperHidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33 ,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcmssnen]
pcmssnen.dll 2007-11-19 10:43 145984 C:\WINDOWS\system32\pcmssnen.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtsq.dll
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2987\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3207\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3222\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3446\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3447\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3448\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3449\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3790\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3791\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3792\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3793\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3794\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3795\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3797\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4028\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\CGSLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4117\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\TCHLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4230\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4233\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4256\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4279\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4428\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4446\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4447\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4448\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4449\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4462\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4467\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4475\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4477\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4478\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4479\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4480\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4495\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4502\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4504\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4505\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4506\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4545\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4547\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R0 VSP;Volume Snapshot Provider;C:\WINDOWS\system32\DRIVERS\vsp.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 MSSEARCH;Microsoft Search;"C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"
R2 TIAccountManagementService80;Track-It! 8.0 Account Management Service;"e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe"
R2 TIConfiguration;Track-It! Configuration;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe"
R2 TIDashboardMonitor;Track-It! Dashboard Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe"
R2 TIFileStorage;Track-It! File Storage;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe"
R2 TIMonitor;Track-It! Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe"
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe
R2 TISearch;Track-It! Search;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe"
R2 TIServerServices80;Track-It! 8.0 Monitor Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe /StartService
R2 TISoftwareLicensingMonitor;Track-It! Software Licensing Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe"
R2 TISystemNotificationMonitor;Track-It! System Notification Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe"
R2 TIWorkOrderMonitor;Track-It! Work Order Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe"
R2 UserSyncService80;Track-It! 8.0 User Synchronization Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe /StartService
R3 dcdbas;System Management Driver;C:\WINDOWS\system32\DRIVERS\dcdbas32.sys
R3 racser;racser;C:\WINDOWS\system32\DRIVERS\rac4ser.sys
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 SmaRTIndexServer;SmaRTIndexServer;e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S4 AmdIde;AmdIde;C:\WINDOWS\system32\drivers\AmdIde.sys
S4 arc;arc;C:\WINDOWS\system32\drivers\arc.sys
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 hpcisss;hpcisss;C:\WINDOWS\system32\drivers\hpcisss.sys
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 10:49:52
Windows 5.2.3790 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-19 10:50:21 - machine was rebooted
.
--- E O F ---

mcseadogs · 19th November 2007

VundoFix V6.6.2

Checking Java version...

Sun Java not detected
Scan started at 10:28:52 AM 11/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\foyqmrxc.dll
C:\windows\system32\nsfpihtg.dllbox
C:\windows\system32\xzydqxek.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\nsfpihtg.dllbox
C:\windows\system32\nsfpihtg.dllbox Has been deleted!

Attempting to delete C:\windows\system32\xzydqxek.dllbox
C:\windows\system32\xzydqxek.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

mcseadogs · 19th November 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51, on 2007-11-19
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {03AD7A3A-3E67-4D64-8EFE-4317E909A461} - (no file)
O2 - BHO: (no name) - {05A42CB8-0D3E-45A9-ADFF-2AE544967C47} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D77A72C-0FA8-4A3C-B537-83A2A422644B} - (no file)
O2 - BHO: (no name) - {2DFB38C8-6986-4015-A66D-E34D5277A00A} - C:\Program Files\Windows NT\mevoxud4444.dll (file missing)
O2 - BHO: (no name) - {320403C7-EAEA-493E-A64E-6B40D1AE1B70} - (no file)
O2 - BHO: (no name) - {3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130} - (no file)
O2 - BHO: 0 - {405182E5-6B8E-4518-058C-1FB7E488191F} - C:\Program Files\WindowsUpdate\quharefow.dll (file missing)
O2 - BHO: (no name) - {51A1820E-A937-4F00-974D-926A912D31EE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55E52BAE-BB19-4476-91A0-F9545AD662BA} - C:\Program Files\Windows NT\mevoxud83122.dll (file missing)
O2 - BHO: (no name) - {571E9CE8-22CB-4436-A8F1-25B05DA73D26} - (no file)
O2 - BHO: (no name) - {5CD19969-E60B-4FAC-B15B-388E94A0C84F} - (no file)
O2 - BHO: (no name) - {5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF} - (no file)
O2 - BHO: (no name) - {69D7043D-106A-4F87-948D-CA2A01996550} - (no file)
O2 - BHO: (no name) - {78B66DF6-32BA-4FD5-89E0-E67F996627ED} - (no file)
O2 - BHO: (no name) - {958EE684-C2B5-4E4C-8B03-03231F0BA4DE} - (no file)
O2 - BHO: (no name) - {95ED77C1-A655-464A-8666-81353927343C} - (no file)
O2 - BHO: (no name) - {A842DAFC-FB78-4E50-AD07-308304B61F37} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
O2 - BHO: (no name) - {A9D5AFAB-2A60-4572-A81A-618743CFC9D3} - (no file)
O2 - BHO: (no name) - {AA70BA15-4AC5-405E-B405-56C294DB01D9} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE} - (no file)
O2 - BHO: (no name) - {D0F1141D-0FBA-4753-8FD5-A23CC3295A0C} - (no file)
O2 - BHO: (no name) - {DA034E38-D5CF-4A6E-A216-9DB0185F6CF6} - (no file)
O2 - BHO: (no name) - {FB2644D1-6428-4E1E-9915-3DAD71000512} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\alfehlaa.dll",b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/port...redSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/port.../mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O20 - Winlogon Notify: pcmssnen - pcmssnen.dll (file missing)
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 14422 bytes

**noahdfear** · 20th November 2007

Scan again with HijackThis and place a check next to the following entries, close all other windows then click Fix Checked.

O2 - BHO: (no name) - {03AD7A3A-3E67-4D64-8EFE-4317E909A461} - (no file)
O2 - BHO: (no name) - {05A42CB8-0D3E-45A9-ADFF-2AE544967C47} - (no file)
O2 - BHO: (no name) - {2D77A72C-0FA8-4A3C-B537-83A2A422644B} - (no file)
O2 - BHO: (no name) - {2DFB38C8-6986-4015-A66D-E34D5277A00A} - C:\Program Files\Windows NT\mevoxud4444.dll (file missing)
O2 - BHO: (no name) - {320403C7-EAEA-493E-A64E-6B40D1AE1B70} - (no file)
O2 - BHO: (no name) - {3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130} - (no file)
O2 - BHO: 0 - {405182E5-6B8E-4518-058C-1FB7E488191F} - C:\Program Files\WindowsUpdate\quharefow.dll (file missing)
O2 - BHO: (no name) - {51A1820E-A937-4F00-974D-926A912D31EE} - (no file)
O2 - BHO: (no name) - {55E52BAE-BB19-4476-91A0-F9545AD662BA} - C:\Program Files\Windows NT\mevoxud83122.dll (file missing)
O2 - BHO: (no name) - {571E9CE8-22CB-4436-A8F1-25B05DA73D26} - (no file)
O2 - BHO: (no name) - {5CD19969-E60B-4FAC-B15B-388E94A0C84F} - (no file)
O2 - BHO: (no name) - {5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF} - (no file)
O2 - BHO: (no name) - {69D7043D-106A-4F87-948D-CA2A01996550} - (no file)
O2 - BHO: (no name) - {78B66DF6-32BA-4FD5-89E0-E67F996627ED} - (no file)
O2 - BHO: (no name) - {958EE684-C2B5-4E4C-8B03-03231F0BA4DE} - (no file)
O2 - BHO: (no name) - {95ED77C1-A655-464A-8666-81353927343C} - (no file)
O2 - BHO: (no name) - {A842DAFC-FB78-4E50-AD07-308304B61F37} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
O2 - BHO: (no name) - {A9D5AFAB-2A60-4572-A81A-618743CFC9D3} - (no file)
O2 - BHO: (no name) - {AA70BA15-4AC5-405E-B405-56C294DB01D9} - (no file)
O2 - BHO: (no name) - {CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE} - (no file)
O2 - BHO: (no name) - {D0F1141D-0FBA-4753-8FD5-A23CC3295A0C} - (no file)
O2 - BHO: (no name) - {DA034E38-D5CF-4A6E-A216-9DB0185F6CF6} - (no file)
O2 - BHO: (no name) - {FB2644D1-6428-4E1E-9915-3DAD71000512} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\alfehlaa.dll",b
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O20 - Winlogon Notify: pcmssnen - pcmssnen.dll (file missing)

Close HijackThis.

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

Close all applications and windows.
Double click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

mcseadogs · 20th November 2007

Deckard's System Scanner v20071014.68
Run by administrator on 2007-11-20 00:06:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:06, on 2007-11-20
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator.65GW2003\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\administrator.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/port...redSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/port.../mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O20 - Winlogon Notify: pcmssnen - pcmssnen.dll (file missing)
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12417 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071120-000401-108 O2 - BHO: (no name) - {CC62A6CC-CB14-4BD4-8F29-EFDB9631C9FE} - (no file)
backup-20071120-000401-110 O2 - BHO: (no name) - {571E9CE8-22CB-4436-A8F1-25B05DA73D26} - (no file)
backup-20071120-000401-117 O2 - BHO: (no name) - {55E52BAE-BB19-4476-91A0-F9545AD662BA} - C:\Program Files\Windows NT\mevoxud83122.dll (file missing)
backup-20071120-000401-125 O2 - BHO: (no name) - {69D7043D-106A-4F87-948D-CA2A01996550} - (no file)
backup-20071120-000401-144 O4 - HKLM\..\Run: [602fd3b5] rundll32.exe "C:\WINDOWS\system32\alfehlaa.dll",b
backup-20071120-000401-158 O2 - BHO: (no name) - {AA70BA15-4AC5-405E-B405-56C294DB01D9} - (no file)
backup-20071120-000401-159 O2 - BHO: (no name) - {320403C7-EAEA-493E-A64E-6B40D1AE1B70} - (no file)
backup-20071120-000401-170 O2 - BHO: (no name) - {05A42CB8-0D3E-45A9-ADFF-2AE544967C47} - (no file)
backup-20071120-000401-249 O2 - BHO: 0 - {405182E5-6B8E-4518-058C-1FB7E488191F} - C:\Program Files\WindowsUpdate\quharefow.dll (file missing)
backup-20071120-000401-253 O2 - BHO: (no name) - {03AD7A3A-3E67-4D64-8EFE-4317E909A461} - (no file)
backup-20071120-000401-286 O2 - BHO: (no name) - {FB2644D1-6428-4E1E-9915-3DAD71000512} - (no file)
backup-20071120-000401-343 O2 - BHO: (no name) - {DA034E38-D5CF-4A6E-A216-9DB0185F6CF6} - (no file)
backup-20071120-000401-345 O2 - BHO: (no name) - {2DFB38C8-6986-4015-A66D-E34D5277A00A} - C:\Program Files\Windows NT\mevoxud4444.dll (file missing)
backup-20071120-000401-386 O2 - BHO: (no name) - {A9D5AFAB-2A60-4572-A81A-618743CFC9D3} - (no file)
backup-20071120-000401-448 O2 - BHO: (no name) - {51A1820E-A937-4F00-974D-926A912D31EE} - (no file)
backup-20071120-000401-555 O2 - BHO: (no name) - {78B66DF6-32BA-4FD5-89E0-E67F996627ED} - (no file)
backup-20071120-000401-601 O2 - BHO: (no name) - {5F3C2A8B-02A4-4B3D-87AC-F6B9A000A8EF} - (no file)
backup-20071120-000401-617 O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
backup-20071120-000401-715 O2 - BHO: (no name) - {95ED77C1-A655-464A-8666-81353927343C} - (no file)
backup-20071120-000401-724 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pcmssnen.dll
backup-20071120-000401-796 O2 - BHO: (no name) - {958EE684-C2B5-4E4C-8B03-03231F0BA4DE} - (no file)
backup-20071120-000401-809 O2 - BHO: (no name) - {A842DAFC-FB78-4E50-AD07-308304B61F37} - (no file)
backup-20071120-000401-864 O2 - BHO: (no name) - {5CD19969-E60B-4FAC-B15B-388E94A0C84F} - (no file)
backup-20071120-000401-888 O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pcmssnen.dll
backup-20071120-000401-950 O2 - BHO: (no name) - {2D77A72C-0FA8-4A3C-B537-83A2A422644B} - (no file)
backup-20071120-000401-982 O2 - BHO: (no name) - {3A1FDB3C-9812-4B97-9D44-7BDD8A3DF130} - (no file)
backup-20071120-000401-991 O2 - BHO: (no name) - {D0F1141D-0FBA-4753-8FD5-A23CC3295A0C} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 catchme - c:\docume~1\admini~1.65g\locals~1\temp\catchme.sys (file missing)

S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 dcevt32 (DSM SA Event Manager) - "c:\program files\dell\sysmgt\dataeng\bin\dsm_sa_eventmgr32.exe" <Not Verified; Dell Inc.; Dell(R) Data Engine>
R2 dcstor32 (DSM SA Data Manager) - "c:\program files\dell\sysmgt\dataeng\bin\dsm_sa_datamgr32.exe" <Not Verified; Dell Inc.; Dell(R) Data Engine>
R2 mr2kserv - "c:\program files\dell\sysmgt\sm\mr2kserv.exe" <Not Verified; LSI Logic Corporation; mr2kserv>
R2 MSSEARCH (Microsoft Search) - "c:\program files\common files\system\mssearch\bin\mssearch.exe" <Not Verified; Microsoft Corporation; PKM>
R2 omsad (DSM SA Shared Services) - "c:\program files\dell\sysmgt\oma\bin\dsm_om_shrsvc32.exe" <Not Verified; Dell Inc.; Server Administrator>
R2 racsvc (Remote Access Controller 4 (RAC4)) - "c:\program files\dell\sysmgt\rac4\racsvc.exe" -startservice <Not Verified; Dell, Inc.; Remote Access Controller (RAC)>
R2 Server Administrator (DSM SA Connection Service) - "c:\program files\dell\sysmgt\iws\bin\win32\dsm_om_connsvc32.exe" <Not Verified; ; Server Administrator>
R2 TIAccountManagementService80 (Track-It! 8.0 Account Management Service) - "e:\program files\numara software\numara track-it! 8\web add-on\password reset\account management service\accountmanagementservice.exe" <Not Verified; Numara Software, Inc.; Track-It! Password Reset>
R2 TIConfiguration (Track-It! Configuration) - "e:\program files\numara software\numara track-it! 8\track-it! services\ticonfiguration.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIDashboardMonitor (Track-It! Dashboard Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tidashboardmonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIFileStorage (Track-It! File Storage) - "e:\program files\numara software\numara track-it! 8\track-it! services\tifilestorage.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIMonitor (Track-It! Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\timonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIRmtSvc (Track-It! Workstation Manager) - c:\windows\tiremote\tiremoteservice.exe <Not Verified; Numara Software, Inc.; Track-It! 8.0>
R2 TISearch (Track-It! Search) - "e:\program files\numara software\numara track-it! 8\track-it! services\tisearch.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIServerServices80 (Track-It! 8.0 Monitor Service) - e:\program files\numara software\numara track-it! 8\track-it! server\tiserverservices.exe /startservice <Not Verified; Numara Software, Inc.; Track-It! 8.0>
R2 TISoftwareLicensingMonitor (Track-It! Software Licensing Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tisoftwarelicensingmonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TISystemNotificationMonitor (Track-It! System Notification Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tisystemnotificationmonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 TIWorkOrderMonitor (Track-It! Work Order Monitor) - "e:\program files\numara software\numara track-it! 8\track-it! services\tiworkordermonitor.exe" <Not Verified; Numara Software, Inc.; Track-It!>
R2 UserSyncService80 (Track-It! 8.0 User Synchronization Service) - e:\program files\numara software\numara track-it! 8\track-it! server\user synch\bin\tiusersyncsvc.exe /startservice

S3 SmaRTIndexServer - e:\program files\numara software\numara track-it! 8\web add-on\smart\services\smartindexer.exe <Not Verified; Self-Service Technologies; SmartIndexer Service>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/1000 MT Network Connection
Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_016D1028&REV_05\5&C8E9BA0&0&400228
Manufacturer: Intel
Name: Intel(R) PRO/1000 MT Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_016D1028&REV_05\5&C8E9BA0&0&400228
Service: E1000

-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

2007-11-19 10:43:16 145984 -----n--- C:\WINDOWS\system32\pcmssnen.dll
2007-11-19 10:40:08 71232 --a------ C:\WINDOWS\system32\rptphqtm.exe <Not Verified; ; DDC>
2007-11-19 10:30:00 71232 --a------ C:\WINDOWS\system32\udvndlir.exe <Not Verified; ; DDC>
2007-11-19 10:28:52 0 d-------- C:\VundoFix Backups
2007-11-19 10:27:17 118272 --a------ C:\Documents and Settings\Administrator.65GW2003\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2007-11-19 08:53:28 85056 -----n--- C:\WINDOWS\system32\alfehlaa.dll
2007-11-19 08:53:27 71232 --a------ C:\WINDOWS\system32\rulqrxij.exe <Not Verified; ; DDC>
2007-11-19 08:50:28 71232 --a------ C:\WINDOWS\system32\pipsjnel.exe <Not Verified; ; DDC>
2007-11-19 08:15:14 71232 --a------ C:\WINDOWS\system32\idyvykee.exe <Not Verified; ; DDC>
2007-11-19 07:57:10 71232 --a------ C:\WINDOWS\system32\ybphpewf.exe <Not Verified; ; DDC>
2007-11-18 19:59:33 71232 --a------ C:\WINDOWS\system32\rmdhtmnd.exe <Not Verified; ; DDC>
2007-11-18 13:17:27 0 d-------- C:\Program Files\Trend Micro
2007-11-18 13:16:46 71232 --a------ C:\WINDOWS\system32\rkksgdus.exe <Not Verified; ; DDC>
2007-11-17 19:59:33 71232 --a------ C:\WINDOWS\system32\uxgmonco.exe <Not Verified; ; DDC>
2007-11-16 19:59:32 71232 --a------ C:\WINDOWS\system32\bwbayumi.exe <Not Verified; ; DDC>
2007-11-15 19:59:31 71232 --a------ C:\WINDOWS\system32\rdlkaqnk.exe <Not Verified; ; DDC>
2007-11-15 07:56:31 71232 --a------ C:\WINDOWS\system32\iucgtedb.exe <Not Verified; ; DDC>
2007-11-14 19:56:52 71232 --a------ C:\WINDOWS\system32\fjtnxgnc.exe <Not Verified; ; DDC>
2007-11-14 16:53:36 71232 --a------ C:\WINDOWS\system32\gbilfyeh.exe <Not Verified; ; DDC>
2007-11-14 16:22:49 71232 --a------ C:\WINDOWS\system32\cnyefinv.exe <Not Verified; ; DDC>
2007-11-14 15:21:30 71232 --a------ C:\WINDOWS\system32\tttpohgh.exe <Not Verified; ; DDC>
2007-11-13 09:25:56 71232 --a------ C:\WINDOWS\system32\nerkwrfy.exe <Not Verified; ; DDC>
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\WINDOWS
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\Templates
2007-11-13 08:22:13 0 dr------- C:\Documents and Settings\o'brienp\Start Menu
2007-11-13 08:22:13 0 dr-h----- C:\Documents and Settings\o'brienp\SendTo
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\Recent
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\PrintHood
2007-11-13 08:22:13 786432 -----n--- C:\Documents and Settings\o'brienp\NTUSER.DAT
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\NetHood
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\My Documents
2007-11-13 08:22:13 0 d--h----- C:\Documents and Settings\o'brienp\Local Settings
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\Favorites
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\Desktop
2007-11-13 08:22:13 0 d---s---- C:\Documents and Settings\o'brienp\Cookies
2007-11-13 08:22:13 0 dr-h----- C:\Documents and Settings\o'brienp\Application Data
2007-11-13 08:22:13 0 d---s---- C:\Documents and Settings\o'brienp\Application Data\Microsoft
2007-11-13 08:22:13 0 d-------- C:\Documents and Settings\o'brienp\Application Data\Identities
2007-11-12 09:26:03 71232 --a------ C:\WINDOWS\system32\wrxolinr.exe <Not Verified; ; DDC>
2007-11-12 09:19:25 71232 --a------ C:\WINDOWS\system32\qmkrkypk.exe <Not Verified; ; DDC>
2007-11-12 09:10:57 71232 --a------ C:\WINDOWS\system32\oyksensg.exe <Not Verified; ; DDC>
2007-11-12 09:06:11 71232 --a------ C:\WINDOWS\system32\meiuvntb.exe <Not Verified; ; DDC>
2007-11-12 09:03:42 71232 --a------ C:\WINDOWS\system32\ilqelqim.exe <Not Verified; ; DDC>
2007-11-12 09:01:45 71232 --a------ C:\WINDOWS\system32\bttmmtrf.exe <Not Verified; ; DDC>
2007-11-09 08:04:44 71232 --a------ C:\WINDOWS\system32\kjluojcv.exe <Not Verified; ; DDC>
2007-11-08 18:20:42 71232 --a------ C:\WINDOWS\system32\aqwqlkvi.exe <Not Verified; ; DDC>
2007-11-08 14:17:07 71232 --a------ C:\WINDOWS\system32\jdpoukfa.exe <Not Verified; ; DDC>
2007-11-08 13:37:34 0 d-------- C:\Documents and Settings\65gspam\Application Data\Identities
2007-11-08 13:37:16 0 d-------- C:\Documents and Settings\65gspam\WINDOWS
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\Templates
2007-11-08 13:37:12 0 dr------- C:\Documents and Settings\65gspam\Start Menu
2007-11-08 13:37:12 0 dr-h----- C:\Documents and Settings\65gspam\SendTo
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\Recent
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\PrintHood
2007-11-08 13:37:12 786432 ---h----- C:\Documents and Settings\65gspam\NTUSER.DAT
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\NetHood
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\My Documents
2007-11-08 13:37:12 0 d--h----- C:\Documents and Settings\65gspam\Local Settings
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\Favorites
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\Desktop
2007-11-08 13:37:12 0 d---s---- C:\Documents and Settings\65gspam\Cookies
2007-11-08 13:37:12 0 dr-h----- C:\Documents and Settings\65gspam\Application Data
2007-11-08 13:37:12 0 d---s---- C:\Documents and Settings\65gspam\Application Data\Microsoft
2007-11-08 13:37:12 0 d-------- C:\Documents and Settings\65gspam\Application Data\Macromedia
2007-11-08 13:31:30 71232 --a------ C:\WINDOWS\system32\psblqyul.exe <Not Verified; ; DDC>
2007-11-08 06:58:34 71232 --a------ C:\WINDOWS\system32\xpaiagtx.exe <Not Verified; ; DDC>
2007-11-07 20:57:49 71232 --a------ C:\WINDOWS\system32\exrtorir.exe <Not Verified; ; DDC>
2007-11-07 20:45:52 71232 --a------ C:\WINDOWS\system32\kpnycsdr.exe <Not Verified; ; DDC>
2007-11-07 20:45:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-07 19:55:15 71232 --a------ C:\WINDOWS\system32\ubnpubsn.exe <Not Verified; ; DDC>
2007-11-07 19:11:21 71232 --a------ C:\WINDOWS\system32\tvgxjffu.exe <Not Verified; ; DDC>
2007-11-07 18:10:32 71232 --a------ C:\WINDOWS\system32\btglcsyy.exe <Not Verified; ; DDC>
2007-11-07 17:53:09 71232 --a------ C:\WINDOWS\system32\scdeybvw.exe <Not Verified; ; DDC>
2007-11-07 14:52:10 71232 --a------ C:\WINDOWS\system32\oyeoidoj.exe <Not Verified; ; DDC>
2007-11-07 13:43:14 71232 --a------ C:\WINDOWS\system32\mwarisdc.exe <Not Verified; ; DDC>
2007-11-07 13:33:46 71232 --a------ C:\WINDOWS\system32\pctlyrck.exe <Not Verified; ; DDC>
2007-11-07 13:33:18 71232 --a------ C:\WINDOWS\system32\qssqycex.exe <Not Verified; ; DDC>
2007-11-07 12:36:53 71232 --a------ C:\WINDOWS\system32\ptrefreb.exe <Not Verified; ; DDC>
2007-11-07 11:42:10 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Application Data\Identities
2007-11-07 11:41:02 0 d-------- C:\Documents and Settings\atlantalocaldispatch\WINDOWS
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\Templates
2007-11-07 11:40:58 0 dr------- C:\Documents and Settings\atlantalocaldispatch\Start Menu
2007-11-07 11:40:58 0 dr-h----- C:\Documents and Settings\atlantalocaldispatch\SendTo
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\Recent
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\PrintHood
2007-11-07 11:40:58 786432 ---h----- C:\Documents and Settings\atlantalocaldispatch\NTUSER.DAT
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\NetHood
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\My Documents
2007-11-07 11:40:58 0 d--h----- C:\Documents and Settings\atlantalocaldispatch\Local Settings
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Favorites
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Desktop
2007-11-07 11:40:58 0 d---s---- C:\Documents and Settings\atlantalocaldispatch\Cookies
2007-11-07 11:40:58 0 dr-h----- C:\Documents and Settings\atlantalocaldispatch\Application Data
2007-11-07 11:40:58 0 d---s---- C:\Documents and Settings\atlantalocaldispatch\Application Data\Microsoft
2007-11-07 11:40:58 0 d-------- C:\Documents and Settings\atlantalocaldispatch\Application Data\Macromedia
2007-11-07 11:19:58 71232 --a------ C:\WINDOWS\system32\bqjieohr.exe <Not Verified; ; DDC>
2007-11-07 10:08:06 71232 --a------ C:\WINDOWS\system32\tnsygsok.exe <Not Verified; ; DDC>
2007-11-07 09:00:04 71232 --a------ C:\WINDOWS\system32\dtppnphn.exe <Not Verified; ; DDC>
2007-11-07 08:56:50 71232 --a------ C:\WINDOWS\system32\ocnlrxrd.exe <Not Verified; ; DDC>
2007-11-06 13:57:10 71232 --a------ C:\WINDOWS\system32\sawdptix.exe <Not Verified; ; DDC>
2007-11-06 08:24:02 87104 --a------ C:\WINDOWS\system32\xjpynghw.dll
2007-11-05 08:12:03 85568 --a------ C:\WINDOWS\system32\cwntlius.dll
2007-11-04 13:20:41 86080 --a------ C:\WINDOWS\system32\uwwixadt.dll
2007-11-04 12:50:56 86080 --a------ C:\WINDOWS\system32\mdbjcsdu.dll
2007-11-04 12:44:11 6656 --a------ C:\WINDOWS\system32\BiosMsg.dll
2007-11-04 12:42:02 86080 --a------ C:\WINDOWS\system32\wjwiubjs.dll
2007-11-04 12:21:20 86080 --a------ C:\WINDOWS\system32\plfhggnj.dll
2007-11-04 11:59:38 86080 --a------ C:\WINDOWS\system32\govytbts.dll

mcseadogs · 20th November 2007

2007-11-04 11:42:26 86016 --a------ C:\WINDOWS\system32\DellSPMsg.dll <Not Verified; Dell, Inc.; Change Management SDK>
2007-11-02 08:32:16 0 d-------- C:\Documents and Settings\coakleya\Application Data\Identities
2007-11-02 08:31:52 0 d-------- C:\Documents and Settings\campbelle\Application Data\Identities
2007-11-02 08:31:30 0 d-------- C:\Documents and Settings\hughesbi\Application Data\Identities
2007-11-02 08:31:11 0 d-------- C:\Documents and Settings\coakleya\WINDOWS
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\Templates
2007-11-02 08:31:07 0 dr------- C:\Documents and Settings\coakleya\Start Menu
2007-11-02 08:31:07 0 dr-h----- C:\Documents and Settings\coakleya\SendTo
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\Recent
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\PrintHood
2007-11-02 08:31:07 786432 ---h----- C:\Documents and Settings\coakleya\NTUSER.DAT
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\NetHood
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\My Documents
2007-11-02 08:31:07 0 d--h----- C:\Documents and Settings\coakleya\Local Settings
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\Favorites
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\Desktop
2007-11-02 08:31:07 0 d---s---- C:\Documents and Settings\coakleya\Cookies
2007-11-02 08:31:07 0 dr-h----- C:\Documents and Settings\coakleya\Application Data
2007-11-02 08:31:07 0 d---s---- C:\Documents and Settings\coakleya\Application Data\Microsoft
2007-11-02 08:31:07 0 d-------- C:\Documents and Settings\coakleya\Application Data\Macromedia
2007-11-02 08:31:01 0 d-------- C:\Documents and Settings\campbelle\WINDOWS
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\Templates
2007-11-02 08:30:57 0 dr------- C:\Documents and Settings\campbelle\Start Menu
2007-11-02 08:30:57 0 dr-h----- C:\Documents and Settings\campbelle\SendTo
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\Recent
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\PrintHood
2007-11-02 08:30:57 786432 ---h----- C:\Documents and Settings\campbelle\NTUSER.DAT
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\NetHood
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\My Documents
2007-11-02 08:30:57 0 d--h----- C:\Documents and Settings\campbelle\Local Settings
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\Favorites
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\Desktop
2007-11-02 08:30:57 0 d---s---- C:\Documents and Settings\campbelle\Cookies
2007-11-02 08:30:57 0 dr-h----- C:\Documents and Settings\campbelle\Application Data
2007-11-02 08:30:57 0 d---s---- C:\Documents and Settings\campbelle\Application Data\Microsoft
2007-11-02 08:30:57 0 d-------- C:\Documents and Settings\campbelle\Application Data\Macromedia
2007-11-02 08:30:54 0 d-------- C:\Documents and Settings\hughesbi\WINDOWS
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\Templates
2007-11-02 08:30:49 0 dr------- C:\Documents and Settings\hughesbi\Start Menu
2007-11-02 08:30:49 0 dr-h----- C:\Documents and Settings\hughesbi\SendTo
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\Recent
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\PrintHood
2007-11-02 08:30:49 786432 ---h----- C:\Documents and Settings\hughesbi\NTUSER.DAT
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\NetHood
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\My Documents
2007-11-02 08:30:49 0 d--h----- C:\Documents and Settings\hughesbi\Local Settings
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\Favorites
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\Desktop
2007-11-02 08:30:49 0 d---s---- C:\Documents and Settings\hughesbi\Cookies
2007-11-02 08:30:49 0 dr-h----- C:\Documents and Settings\hughesbi\Application Data
2007-11-02 08:30:49 0 d---s---- C:\Documents and Settings\hughesbi\Application Data\Microsoft
2007-11-02 08:30:49 0 d-------- C:\Documents and Settings\hughesbi\Application Data\Macromedia
2007-11-01 15:42:56 0 d-------- C:\Documents and Settings\beckerc\Application Data\Identities
2007-11-01 15:42:34 0 d-------- C:\Documents and Settings\beckerc\WINDOWS
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\Templates
2007-11-01 15:42:30 0 dr------- C:\Documents and Settings\beckerc\Start Menu
2007-11-01 15:42:30 0 dr-h----- C:\Documents and Settings\beckerc\SendTo
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\Recent
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\PrintHood
2007-11-01 15:42:30 786432 ---h----- C:\Documents and Settings\beckerc\NTUSER.DAT
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\NetHood
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\My Documents
2007-11-01 15:42:30 0 d--h----- C:\Documents and Settings\beckerc\Local Settings
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\Favorites
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\Desktop
2007-11-01 15:42:30 0 d---s---- C:\Documents and Settings\beckerc\Cookies
2007-11-01 15:42:30 0 dr-h----- C:\Documents and Settings\beckerc\Application Data
2007-11-01 15:42:30 0 d---s---- C:\Documents and Settings\beckerc\Application Data\Microsoft
2007-11-01 15:42:30 0 d-------- C:\Documents and Settings\beckerc\Application Data\Macromedia
2007-10-29 13:30:06 0 d-------- C:\Documents and Settings\atcwvedi\Application Data\Identities
2007-10-29 13:27:40 0 d-------- C:\Documents and Settings\atcwvedi\WINDOWS
2007-10-29 13:27:35 0 d-------- C:\Documents and Settings\atcwvedi\Application Data\Macromedia
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\Templates
2007-10-29 13:27:34 0 dr------- C:\Documents and Settings\atcwvedi\Start Menu
2007-10-29 13:27:34 0 dr-h----- C:\Documents and Settings\atcwvedi\SendTo
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\Recent
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\PrintHood
2007-10-29 13:27:34 524288 ---h----- C:\Documents and Settings\atcwvedi\NTUSER.DAT
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\NetHood
2007-10-29 13:27:34 0 d-------- C:\Documents and Settings\atcwvedi\My Documents
2007-10-29 13:27:34 0 d--h----- C:\Documents and Settings\atcwvedi\Local Settings
2007-10-29 13:27:34 0 d-------- C:\Documents and Settings\atcwvedi\Favorites
2007-10-29 13:27:34 0 d-------- C:\Documents and Settings\atcwvedi\Desktop
2007-10-29 13:27:34 0 d---s---- C:\Documents and Settings\atcwvedi\Cookies
2007-10-29 13:27:34 0 dr-h----- C:\Documents and Settings\atcwvedi\Application Data
2007-10-29 13:27:34 0 d---s---- C:\Documents and Settings\atcwvedi\Application Data\Microsoft
2007-10-24 16:54:19 0 d-------- C:\Program Files\Enigma Software Group
2007-10-24 16:29:22 255 -----n--- C:\ietempdel.bat
2007-10-22 08:39:34 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2007-10-21 11:53:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-21 11:53:02 0 d-------- C:\Documents and Settings\Administrator.65GW2003\Application Data\SUPERAntiSpyware.com
2007-10-21 09:57:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 09:50:12 1152 --a------ C:\WINDOWS\system32\windrv.sys
2007-10-21 09:49:58 0 d-------- C:\Program Files\Common Files\Download Manager
2007-10-20 12:50:01 0 d---s---- C:\Documents and Settings\65gsupport\UserData
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\od2
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\ib1
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\cp1
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\bo2
2007-10-20 12:43:22 0 d-------- C:\WINDOWS\system32\ap1

-- Find3M Report ---------------------------------------------------------------

2007-11-19 10:49:06 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-14 16:35:37 0 d--h----- C:\Program Files\WindowsUpdate
2007-11-04 11:59:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-04 11:58:32 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-21 17:14:10 0 d-------- C:\Program Files\Common Files
2007-10-21 02:38:23 0 d-------- C:\Program Files\Windows NT
2007-09-30 17:09:00 0 d-------- C:\Program Files\Solarwinds

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-19 10:43 145984 --------- C:\WINDOWS\system32\pcmssnen.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pcmssnen.dll [2007-11-19 10:43 145984]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Acrobat Assistant 7.0"="E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"SNM"="E:\Program Files\SpyNoMore\SNM.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
@=
"O2K3ProfileSettings"="E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" /r C:\Policies\o2k3ProfileSettings.ops /q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-16 09:25:39]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-02 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"ShowSuperHidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcmssnen]
pcmssnen.dll 2007-11-19 10:43 145984 C:\WINDOWS\system32\pcmssnen.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtsq.dll
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2987\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3207\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3222\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3446\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3447\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3448\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3449\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3790\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3791\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3792\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3793\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3794\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3795\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3797\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4028\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\CGSLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4117\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\TCHLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4230\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4233\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4256\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4279\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4428\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4446\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4447\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4448\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4449\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4462\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4467\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4475\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4477\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4478\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4479\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4480\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4495\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4502\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4504\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4505\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4506\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4545\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4547\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser

-- End of Deckard's System Scanner: finished at 2007-11-20 02:07:11 ------------

**noahdfear** · 21st November 2007

First, delete the copy of VundoFix.exe you currently have and download a fresh one. Then delete the file C:\VundoFix.txt

Delete the following folders.

C:\WINDOWS\system32\od2
C:\WINDOWS\system32\ib1
C:\WINDOWS\system32\cp1
C:\WINDOWS\system32\bo2
C:\WINDOWS\system32\ap1

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: vundofix.vft << make sure it's .vft and NOT .txt
Save As Type: All Files (*.*)

Code:

C:\WINDOWS\system32\pcmssnen.dll
C:\WINDOWS\system32\rptphqtm.exe
C:\WINDOWS\system32\udvndlir.exe
C:\WINDOWS\system32\alfehlaa.dll
C:\WINDOWS\system32\rulqrxij.exe
C:\WINDOWS\system32\pipsjnel.exe
C:\WINDOWS\system32\idyvykee.exe
C:\WINDOWS\system32\ybphpewf.exe
C:\WINDOWS\system32\rmdhtmnd.exe
C:\WINDOWS\system32\rkksgdus.exe
C:\WINDOWS\system32\uxgmonco.exe
C:\WINDOWS\system32\bwbayumi.exe
C:\WINDOWS\system32\rdlkaqnk.exe
C:\WINDOWS\system32\iucgtedb.exe
C:\WINDOWS\system32\fjtnxgnc.exe
C:\WINDOWS\system32\gbilfyeh.exe
C:\WINDOWS\system32\cnyefinv.exe
C:\WINDOWS\system32\tttpohgh.exe
C:\WINDOWS\system32\nerkwrfy.exe
C:\WINDOWS\system32\wrxolinr.exe
C:\WINDOWS\system32\qmkrkypk.exe
C:\WINDOWS\system32\oyksensg.exe
C:\WINDOWS\system32\meiuvntb.exe
C:\WINDOWS\system32\ilqelqim.exe
C:\WINDOWS\system32\bttmmtrf.exe
C:\WINDOWS\system32\kjluojcv.exe
C:\WINDOWS\system32\aqwqlkvi.exe
C:\WINDOWS\system32\jdpoukfa.exe
C:\WINDOWS\system32\psblqyul.exe
C:\WINDOWS\system32\xpaiagtx.exe
C:\WINDOWS\system32\exrtorir.exe
C:\WINDOWS\system32\kpnycsdr.exe
C:\WINDOWS\system32\ubnpubsn.exe
C:\WINDOWS\system32\tvgxjffu.exe
C:\WINDOWS\system32\btglcsyy.exe
C:\WINDOWS\system32\scdeybvw.exe
C:\WINDOWS\system32\oyeoidoj.exe
C:\WINDOWS\system32\mwarisdc.exe
C:\WINDOWS\system32\pctlyrck.exe
C:\WINDOWS\system32\qssqycex.exe
C:\WINDOWS\system32\ptrefreb.exe
C:\WINDOWS\system32\bqjieohr.exe
C:\WINDOWS\system32\tnsygsok.exe
C:\WINDOWS\system32\dtppnphn.exe
C:\WINDOWS\system32\ocnlrxrd.exe
C:\WINDOWS\system32\sawdptix.exe
C:\WINDOWS\system32\xjpynghw.dll
C:\WINDOWS\system32\cwntlius.dll
C:\WINDOWS\system32\uwwixadt.dll
C:\WINDOWS\system32\mdbjcsdu.dll
C:\WINDOWS\system32\wjwiubjs.dll
C:\WINDOWS\system32\plfhggnj.dll
C:\WINDOWS\system32\govytbts.dll

Close all other windows and programs.
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new dss log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting

You comfortable editing the registry or would you rather I post formatted fixes?

Please go to jotti and upload the following two files for analysis. Copy the results and post them here.

C:\WINDOWS\system32\BiosMsg.dll
C:\WINDOWS\system32\windrv.sys

mcseadogs · 21st November 2007

Vundofix.txt:
Beginning removal...

Attempting to delete C:\WINDOWS\system32\alfehlaa.dll
C:\WINDOWS\system32\alfehlaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aqwqlkvi.exe
C:\WINDOWS\system32\aqwqlkvi.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bqjieohr.exe
C:\WINDOWS\system32\bqjieohr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\btglcsyy.exe
C:\WINDOWS\system32\btglcsyy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bttmmtrf.exe
C:\WINDOWS\system32\bttmmtrf.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bwbayumi.exe
C:\WINDOWS\system32\bwbayumi.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cnyefinv.exe
C:\WINDOWS\system32\cnyefinv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cwntlius.dll
C:\WINDOWS\system32\cwntlius.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dtppnphn.exe
C:\WINDOWS\system32\dtppnphn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\exrtorir.exe
C:\WINDOWS\system32\exrtorir.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fjtnxgnc.exe
C:\WINDOWS\system32\fjtnxgnc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gbilfyeh.exe
C:\WINDOWS\system32\gbilfyeh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\govytbts.dll
C:\WINDOWS\system32\govytbts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\idyvykee.exe
C:\WINDOWS\system32\idyvykee.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilqelqim.exe
C:\WINDOWS\system32\ilqelqim.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\iucgtedb.exe
C:\WINDOWS\system32\iucgtedb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jdpoukfa.exe
C:\WINDOWS\system32\jdpoukfa.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjluojcv.exe
C:\WINDOWS\system32\kjluojcv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kpnycsdr.exe
C:\WINDOWS\system32\kpnycsdr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\mdbjcsdu.dll
C:\WINDOWS\system32\mdbjcsdu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\meiuvntb.exe
C:\WINDOWS\system32\meiuvntb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\mwarisdc.exe
C:\WINDOWS\system32\mwarisdc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nerkwrfy.exe
C:\WINDOWS\system32\nerkwrfy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ocnlrxrd.exe
C:\WINDOWS\system32\ocnlrxrd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oyeoidoj.exe
C:\WINDOWS\system32\oyeoidoj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oyksensg.exe
C:\WINDOWS\system32\oyksensg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pcmssnen.dll
C:\WINDOWS\system32\pcmssnen.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pctlyrck.exe
C:\WINDOWS\system32\pctlyrck.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pipsjnel.exe
C:\WINDOWS\system32\pipsjnel.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\plfhggnj.dll
C:\WINDOWS\system32\plfhggnj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\psblqyul.exe
C:\WINDOWS\system32\psblqyul.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptrefreb.exe
C:\WINDOWS\system32\ptrefreb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qmkrkypk.exe
C:\WINDOWS\system32\qmkrkypk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qssqycex.exe
C:\WINDOWS\system32\qssqycex.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rdlkaqnk.exe
C:\WINDOWS\system32\rdlkaqnk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rkksgdus.exe
C:\WINDOWS\system32\rkksgdus.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmdhtmnd.exe
C:\WINDOWS\system32\rmdhtmnd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rptphqtm.exe
C:\WINDOWS\system32\rptphqtm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rulqrxij.exe
C:\WINDOWS\system32\rulqrxij.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\sawdptix.exe
C:\WINDOWS\system32\sawdptix.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\scdeybvw.exe
C:\WINDOWS\system32\scdeybvw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tnsygsok.exe
C:\WINDOWS\system32\tnsygsok.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tttpohgh.exe
C:\WINDOWS\system32\tttpohgh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvgxjffu.exe
C:\WINDOWS\system32\tvgxjffu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ubnpubsn.exe
C:\WINDOWS\system32\ubnpubsn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\udvndlir.exe
C:\WINDOWS\system32\udvndlir.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwwixadt.dll
C:\WINDOWS\system32\uwwixadt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uxgmonco.exe
C:\WINDOWS\system32\uxgmonco.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wjwiubjs.dll
C:\WINDOWS\system32\wjwiubjs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wrxolinr.exe
C:\WINDOWS\system32\wrxolinr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xjpynghw.dll
C:\WINDOWS\system32\xjpynghw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xpaiagtx.exe
C:\WINDOWS\system32\xpaiagtx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybphpewf.exe
C:\WINDOWS\system32\ybphpewf.exe Has been deleted!

Performing Repairs to the registry.
Done!

biosmsg.dll joti scan results
File: BiosMsg.dll
Status: OK
MD5: 19d20181079a39f120ef0ffefbeb976f
Packers detected: -
Bit9 reports: No threat detected (more info)

Scan taken on 21 Nov 2007 12:59:21 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Windrv.sys joti scan results:
File: windrv.sys
Status: OK
MD5: f8cbd664f1c43af9c29501b9ea4a5766
Packers detected: -
Bit9 reports: File not found

Scan taken on 21 Nov 2007 13:07:00 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

mcseadogs · 21st November 2007

I would be comfortable editing the registry. Just let me know what needs to be done.

**noahdfear** · 21st November 2007

Grab an updated copy of ComboFix. Download ComboFix by sUBs from here or here, saving the file to your desktop.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Make sure to disconnect all client logon sessions first.

mcseadogs · 24th November 2007

ComboFix 07-11-19.3 - administrator 2007-11-23 18:07:57.2 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.2859 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.65GW2003\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\65gsupport\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\system32\pcmssnen.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-20 00:05 <DIR> d-------- C:\Deckard
2007-11-19 10:42 <DIR> d-------- C:\Temp\combfix
2007-11-19 10:28 <DIR> d-------- C:\VundoFix Backups
2007-11-19 10:27 118,272 --------- C:\Documents and Settings\Administrator.65GW2003\VundoFix.exe
2007-11-19 08:53 1,374 ---hs---- C:\WINDOWS\system32\aalhefla.ini
2007-11-19 08:50 1,134 ---hs---- C:\WINDOWS\system32\bvskkekv.ini
2007-11-19 08:17 1,074 ---hs---- C:\WINDOWS\system32\eniuktwl.ini
2007-11-19 07:59 1,014 ---hs---- C:\WINDOWS\system32\xcmsjohf.ini
2007-11-18 20:05 714 ---hs---- C:\WINDOWS\system32\hnoctmce.ini
2007-11-18 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-18 13:16 774 ---hs---- C:\WINDOWS\system32\rcmfxohr.ini
2007-11-17 20:02 654 ---hs---- C:\WINDOWS\system32\fcsmtnwo.ini
2007-11-16 20:05 594 ---hs---- C:\WINDOWS\system32\yiyhfjjq.ini
2007-11-15 20:02 354 ---hs---- C:\WINDOWS\system32\dlrjbmdn.ini
2007-11-15 07:56 474 ---hs---- C:\WINDOWS\system32\tbmlufbo.ini
2007-11-14 19:59 294 ---hs---- C:\WINDOWS\system32\bobynphj.ini
2007-11-14 16:53 294 ---hs---- C:\WINDOWS\system32\aftbyymm.ini
2007-11-14 16:25 294 ---hs---- C:\WINDOWS\system32\fupetkcv.ini
2007-11-14 15:21 294 ---hs---- C:\WINDOWS\system32\ubdniyrg.ini
2007-11-13 09:26 474 ---hs---- C:\WINDOWS\system32\sjknwlaq.ini
2007-11-13 08:22 <DIR> d-------- C:\Documents and Settings\o'brienp\WINDOWS
2007-11-12 09:28 414 ---hs---- C:\WINDOWS\system32\gcsbqcjw.ini
2007-11-12 09:19 294 ---hs---- C:\WINDOWS\system32\anvajlny.ini
2007-11-12 09:10 1,734 ---hs---- C:\WINDOWS\system32\qesridhq.ini
2007-11-12 09:06 2,454 ---hs---- C:\WINDOWS\system32\tnjqxvmt.ini
2007-11-12 09:03 1,734 ---hs---- C:\WINDOWS\system32\fjgykpyf.ini
2007-11-12 09:01 1,614 ---hs---- C:\WINDOWS\system32\ydevqksu.ini
2007-11-09 08:04 1,554 ---hs---- C:\WINDOWS\system32\bwotgeia.ini
2007-11-08 18:20 894 ---hs---- C:\WINDOWS\system32\irsxqpgj.ini
2007-11-08 14:17 774 ---hs---- C:\WINDOWS\system32\nvdgrais.ini
2007-11-08 13:37 <DIR> d-------- C:\Documents and Settings\65gspam\WINDOWS
2007-11-08 13:31 594 ---hs---- C:\WINDOWS\system32\ltblheht.ini
2007-11-08 06:58 474 ---hs---- C:\WINDOWS\system32\enaufxde.ini
2007-11-07 20:57 354 ---hs---- C:\WINDOWS\system32\dktannad.ini
2007-11-07 20:52 354 ---hs---- C:\WINDOWS\system32\blnggryv.ini
2007-11-07 19:58 294 ---hs---- C:\WINDOWS\system32\qwfdmwkn.ini
2007-11-07 19:11 474 ---hs---- C:\WINDOWS\system32\nqdbptmd.ini
2007-11-07 19:10 8,706,680 --a------ C:\Temp\Windows-KB890830-V1.34.exe
2007-11-07 18:13 474 ---hs---- C:\WINDOWS\system32\rxywigdd.ini
2007-11-07 17:55 354 ---hs---- C:\WINDOWS\system32\nlghhebs.ini
2007-11-07 16:47 <DIR> d-------- C:\Temp\symantec
2007-11-07 14:57 294 ---hs---- C:\WINDOWS\system32\mmyhwxmr.ini
2007-11-07 13:36 654 ---hs---- C:\WINDOWS\system32\oftfwhhy.ini
2007-11-07 13:36 594 ---hs---- C:\WINDOWS\system32\xabrhvkd.ini
2007-11-07 12:39 534 ---hs---- C:\WINDOWS\system32\ucybutpn.ini
2007-11-07 11:41 <DIR> d-------- C:\Documents and Settings\atlantalocaldispatch\WINDOWS
2007-11-07 10:10 654 ---hs---- C:\WINDOWS\system32\qyoeghyf.ini
2007-11-07 09:02 894 ---hs---- C:\WINDOWS\system32\ibbfstdw.ini
2007-11-07 08:56 22,016 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-07 08:56 22,016 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-11-06 14:00 894 ---hs---- C:\WINDOWS\system32\fosvsqkq.ini
2007-11-06 08:24 894 ---hs---- C:\WINDOWS\system32\whgnypjx.ini
2007-11-05 14:03 354 ---hs---- C:\WINDOWS\system32\ssoscbjb.ini
2007-11-05 08:12 774 ---hs---- C:\WINDOWS\system32\suiltnwc.ini
2007-11-05 08:06 654 ---hs---- C:\WINDOWS\system32\qxipiotf.ini
2007-11-04 13:57 294 ---hs---- C:\WINDOWS\system32\aoxgwuoq.ini
2007-11-04 13:20 414 ---hs---- C:\WINDOWS\system32\tdaxiwwu.ini
2007-11-04 13:14 294 ---hs---- C:\WINDOWS\system32\ivnvyetb.ini
2007-11-04 13:13 <DIR> d-------- C:\Temp\dup1_tmp
2007-11-04 12:50 1,974 ---hs---- C:\WINDOWS\system32\udscjbdm.ini
2007-11-04 12:44 <DIR> d-------- C:\Temp\PE1850_BIOS_WIN_A06
2007-11-04 12:44 6,656 --------- C:\WINDOWS\system32\BiosMsg.dll
2007-11-04 12:42 414 ---hs---- C:\WINDOWS\system32\sjbuiwjw.ini
2007-11-04 12:21 294 ---hs---- C:\WINDOWS\system32\jngghflp.ini
2007-11-04 11:59 696,421 ---hs---- C:\WINDOWS\system32\stbtyvog.ini
2007-11-04 11:42 <DIR> d-------- C:\Temp\Dell
2007-11-04 11:42 86,016 --------- C:\WINDOWS\system32\DellSPMsg.dll
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\coakleya\WINDOWS
2007-11-02 08:31 <DIR> d-------- C:\Documents and Settings\campbelle\WINDOWS
2007-11-02 08:30 <DIR> d-------- C:\Documents and Settings\hughesbi\WINDOWS
2007-11-01 15:42 <DIR> d-------- C:\Documents and Settings\beckerc\WINDOWS
2007-10-29 13:27 <DIR> d-------- C:\Documents and Settings\atcwvedi\WINDOWS
2007-10-26 09:50 696,421 ---hs---- C:\WINDOWS\system32\mkvnardk.ini
2007-10-26 04:34 694,381 ---hs---- C:\WINDOWS\system32\cexwrtup.ini
2007-10-24 16:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-24 16:29 255 --------- C:\ietempdel.bat
2007-10-24 04:32 694,201 ---hs---- C:\WINDOWS\system32\ddreuvhs.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 23:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-04 16:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 16:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 14:32 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-21 22:14 --------- d-----w C:\Documents and Settings\Administrator.65GW2003\Application Data\SUPERAntiSpyware.com
2007-10-21 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 22:09 --------- d-----w C:\Program Files\Solarwinds
2007-09-11 12:17 914 ------w C:\Documents and Settings\spitzj\SDM-2.3.2-1811-c181x-advipservicesk9-mz.124-6.T7.bin
2007-09-06 20:32 1,150 ------w C:\Documents and Settings\spitzj\SDM-2.3.1-1811-c181x-adventerprisek9-mz.124-6.T2.bin
2007-09-05 21:27 726 ------w C:\Documents and Settings\spitzj\SDM-2.2-1811-c181x-advipservicesk9-mz.124-2.XA.bin
.

((((((((((((((((((((((((((((( snapshot@2007-11-19_10.50.00.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-19 15:42:38 84,068 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-21 12:50:14 84,068 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-19 15:42:38 475,080 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-21 12:50:14 475,080 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Acrobat Assistant 7.0"="E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"SNM"="E:\Program Files\SpyNoMore\SNM.exe" []
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-04-04 03:00]
"@"="" []
"O2K3ProfileSettings"="E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" [2003-07-14 22:02]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-16 09:25:39]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-02 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"ShowSuperHidden"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll
C:\WINDOWS\system32\NavLogon.dll 2004-03-12 14:17 83176 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2987\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3207\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3222\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3446\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3447\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3448\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3449\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3790\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3791\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3792\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3793\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3794\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3795\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3797\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4028\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\CGSLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4117\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\TCHLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4230\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4233\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4256\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4279\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4428\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4446\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4447\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4448\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4449\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4462\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4467\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4475\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4477\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4478\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4479\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4480\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4495\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4502\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4504\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4505\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4506\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4545\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\ATCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4547\Scripts\Logon\0\0]
"Script"=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R0 VSP;Volume Snapshot Provider;C:\WINDOWS\system32\DRIVERS\vsp.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 MSSEARCH;Microsoft Search;"C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"
R2 TIAccountManagementService80;Track-It! 8.0 Account Management Service;"e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe"
R2 TIConfiguration;Track-It! Configuration;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe"
R2 TIDashboardMonitor;Track-It! Dashboard Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe"
R2 TIFileStorage;Track-It! File Storage;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe"
R2 TIMonitor;Track-It! Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe"
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe
R2 TIServerServices80;Track-It! 8.0 Monitor Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe /StartService
R2 TISoftwareLicensingMonitor;Track-It! Software Licensing Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe"
R2 TISystemNotificationMonitor;Track-It! System Notification Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe"
R2 TIWorkOrderMonitor;Track-It! Work Order Monitor;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe"
R2 UserSyncService80;Track-It! 8.0 User Synchronization Service;e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe /StartService
R3 dcdbas;System Management Driver;C:\WINDOWS\system32\DRIVERS\dcdbas32.sys
R3 racser;racser;C:\WINDOWS\system32\DRIVERS\rac4ser.sys
S2 TISearch;Track-It! Search;"e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe"
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 SmaRTIndexServer;SmaRTIndexServer;e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S4 AmdIde;AmdIde;C:\WINDOWS\system32\drivers\AmdIde.sys
S4 arc;arc;C:\WINDOWS\system32\drivers\arc.sys
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 hpcisss;hpcisss;C:\WINDOWS\system32\drivers\hpcisss.sys
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 18:12:08
Windows 5.2.3790 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 18:12:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-19 10:50
.
--- E O F ---

mcseadogs · 24th November 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13, on 2007-11-23
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
E:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\mswsock.dll' missing
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - https://portal.carealliance.com/port...redSession.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://10.10.1.20/SWToolset.exe
O16 - DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} (Session Viewer) - https://10.10.1.43/plugins/vkvm/ActiveXVideoViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1189550347824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189550339113
O16 - DPF: {7D7D0CF0-BB7C-473E-8B35-7590F7D86671} (eFilmX Image Retrieval Module) - http://10.1.18.30/FusionServer/ActiveX/coefir.cab
O16 - DPF: {B1B22D8C-30F6-4BD5-8291-7C855D5CF2FC} (eFilmX Image Viewer) - http://10.1.18.30/FusionServer/ActiveX/eFilmX.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.carealliance.com/port.../mckntauth.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EFD42E0-A4D8-48AB-A4F5-6B1221F800F5}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Program Files\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SmaRTIndexServer - Self-Service Technologies - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\smart\services\SmartIndexer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! 8.0 Account Management Service (TIAccountManagementService80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Web Add-On\Password Reset\Account Management Service\AccountManagementService.exe
O23 - Service: Track-It! Configuration (TIConfiguration) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIConfiguration.exe
O23 - Service: Track-It! Dashboard Monitor (TIDashboardMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIDashboardMonitor.exe
O23 - Service: Track-It! File Storage (TIFileStorage) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIFileStorage.exe
O23 - Service: Track-It! Monitor (TIMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIMonitor.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Track-It! Search (TISearch) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISearch.exe
O23 - Service: Track-It! 8.0 Monitor Service (TIServerServices80) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\TIServerServices.exe
O23 - Service: Track-It! Software Licensing Monitor (TISoftwareLicensingMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISoftwareLicensingMonitor.exe
O23 - Service: Track-It! System Notification Monitor (TISystemNotificationMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TISystemNotificationMonitor.exe
O23 - Service: Track-It! Work Order Monitor (TIWorkOrderMonitor) - Numara Software, Inc. - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Services\TIWorkOrderMonitor.exe
O23 - Service: Track-It! 8.0 User Synchronization Service (UserSyncService80) - Unknown owner - e:\Program Files\Numara Software\Numara Track-It! 8\Track-It! Server\User Synch\bin\TIUserSyncSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - E:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12155 bytes

**noahdfear** · 24th November 2007

Empty the C:\Temp folder.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\aalhefla.ini
C:\WINDOWS\system32\bvskkekv.ini
C:\WINDOWS\system32\eniuktwl.ini
C:\WINDOWS\system32\xcmsjohf.ini
C:\WINDOWS\system32\hnoctmce.ini
C:\WINDOWS\system32\rcmfxohr.ini
C:\WINDOWS\system32\fcsmtnwo.ini
C:\WINDOWS\system32\yiyhfjjq.ini
C:\WINDOWS\system32\dlrjbmdn.ini
C:\WINDOWS\system32\tbmlufbo.ini
C:\WINDOWS\system32\bobynphj.ini
C:\WINDOWS\system32\aftbyymm.ini
C:\WINDOWS\system32\fupetkcv.ini
C:\WINDOWS\system32\ubdniyrg.ini
C:\WINDOWS\system32\sjknwlaq.ini
C:\WINDOWS\system32\gcsbqcjw.ini
C:\WINDOWS\system32\anvajlny.ini
C:\WINDOWS\system32\qesridhq.ini
C:\WINDOWS\system32\tnjqxvmt.ini
C:\WINDOWS\system32\fjgykpyf.ini
C:\WINDOWS\system32\ydevqksu.ini
C:\WINDOWS\system32\bwotgeia.ini
C:\WINDOWS\system32\irsxqpgj.ini
C:\WINDOWS\system32\nvdgrais.ini
C:\WINDOWS\system32\ltblheht.ini
C:\WINDOWS\system32\enaufxde.ini
C:\WINDOWS\system32\dktannad.ini
C:\WINDOWS\system32\blnggryv.ini
C:\WINDOWS\system32\qwfdmwkn.ini
C:\WINDOWS\system32\nqdbptmd.ini
C:\WINDOWS\system32\rxywigdd.ini
C:\WINDOWS\system32\nlghhebs.ini
C:\WINDOWS\system32\mmyhwxmr.ini
C:\WINDOWS\system32\oftfwhhy.ini
C:\WINDOWS\system32\xabrhvkd.ini
C:\WINDOWS\system32\ucybutpn.ini
C:\WINDOWS\system32\qyoeghyf.ini
C:\WINDOWS\system32\ibbfstdw.ini
C:\WINDOWS\system32\fosvsqkq.ini
C:\WINDOWS\system32\whgnypjx.ini
C:\WINDOWS\system32\ssoscbjb.ini
C:\WINDOWS\system32\suiltnwc.ini
C:\WINDOWS\system32\qxipiotf.ini
C:\WINDOWS\system32\aoxgwuoq.ini
C:\WINDOWS\system32\tdaxiwwu.ini
C:\WINDOWS\system32\ivnvyetb.ini
C:\WINDOWS\system32\udscjbdm.ini
C:\WINDOWS\system32\sjbuiwjw.ini
C:\WINDOWS\system32\jngghflp.ini
C:\WINDOWS\system32\stbtyvog.ini
C:\WINDOWS\system32\mkvnardk.ini
C:\WINDOWS\system32\cexwrtup.ini
C:\WINDOWS\system32\ddreuvhs.ini

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

I'm still a bit suspicous of the following 2 files. Please check their properties for company name, version, etc and let me know what you find.

C:\WINDOWS\system32\BiosMsg.dll
C:\WINDOWS\system32\DellSPMsg.dll