Hacked, Viruses, Malware, oh my!

Unknown

Let's see, where to start?

I have a Windows 2000 Server machine that is having some serious issues. It started with everyone on my domain suddenly unable to access our share drive and has progressed from there to WINS not working, to Citrix problems, etc, etc, etc

Bottom line is that I am having users created on my domain (Administrator member, of course) that I do not create and there are connections made to my server using those usernames that I can see in my Citrix Management Console. I do not know exactly what this user is up to but I have found several things that I can post as the thread gets going....I am trying not to make this a book

I do pretty well technically but my major weakness has become security. Over the years I have transformed into more of a Project Manager than an IT guy. We know that we need to hire someone but it is a work in progress, so please bear with me if I am ignorant on a this particular subject.

So far, I read the "Steps To Take Before Posting a HijackThis Log!" and I have run ATF Cleaner, scanned with Spybot (Clean as of right now), Installed AdAware (I get an error related to the fact that Spybot is installed but I haven't been able to research beyond that yet), installed SpywareBlaster, run all Windows updates, purchased AVG Enterprise (Currenly running clean), and lastly I installed HiJack This.

Even after all of this I am still experiencing issues, although there are not as bad as before, and I am still getting new users created and connecting doing who knows what.

Any help would be GREATLY appreciated and I cannot emphasize enough how much I appreciate your time.

Here is my current Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:54 AM, on 5/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\Documents and Settings\admin.KEY.000\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Citrix\Installer\AgentSVC.exe
C:\WINNT\System32\ati2plxx.exe
C:\Program Files\Citrix\Installer\saginst.exe
E:\PROGRA~1\avgwdsvc.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\ctxxmlss.exe
C:\Program Files\Data Collector Agent\DCAService.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\encsvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\Program Files\SSC\NSCTOP.EXE
E:\PROGRA~1\avgam.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\RDS\RsiSvc.exe
E:\PROGRA~1\avgrsx.exe
C:\Program Files\RDS\srscandr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
E:\Program Files\alecf2007data\alecfcd.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\WINNT\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\j2re1.4.1\bin\javaw.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
E:\Program Files\Microsoft Dynamics\GP\Dynamics.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\winlogon.exe
E:\Program Files\AdAware\aawservice.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.1\bin\javaw.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
E:\Program Files\Quickbooks\qbw32.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINNT\system32\ctfmon.exe
E:\PROGRA~1\avgnsx.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Win2KService] C:\WINNT\system32\nero.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
O4 - HKLM\..\RunServices: [sysppc] "C:\WINNT\system32\ras\java\svchost\svchost.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2442363778-4136686664-1775863224-1116\..\Run: [] (User 'Rebecca')
O4 - HKUS\S-1-5-21-2442363778-4136686664-1775863224-1116\..\Run: [ctfmon.exe] ctfmon.exe (User 'Rebecca')
O4 - HKUS\S-1-5-21-2442363778-4136686664-1775863224-1122\..\Run: [ctfmon.exe] ctfmon.exe (User 'Jan')
O4 - HKUS\S-1-5-21-2442363778-4136686664-1775863224-1188\..\Run: [] (User 'Lyndsay')
O4 - HKUS\S-1-5-21-2442363778-4136686664-1775863224-1204\..\Run: [] (User 'Mike')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\admin.KEY.000\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\admin.KEY.000\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\admin.key.000\windows\system32\rnr20.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206713661562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206713650406
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = key.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F722CF7D-8013-433C-83A2-F66FA4B84D83}: NameServer = 192.168.0.2,207.191.50.10,207.191.1.10,216.251.32.100,216.251.32.101,207.115.59.241,207.69.188.185,207.155.184.72,206.173.119.72,68.52.0.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = key.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = key.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
O20 - AppInit_DLLs: RMProcessLink.dll,mfaphook.dll,avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\AdAware\aawservice.exe
O23 - Service: ADF Installer Service (ADF Installer) - Citrix Systems, Inc. - C:\Program Files\Citrix\Installer\AgentSVC.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe (file missing)
O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe (file missing)
O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe (file missing)
O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe (file missing)
O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe (file missing)
O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe (file missing)
O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe (file missing)
O23 - Service: Client Network (CdmService) - Citrix Systems, Inc. - C:\WINNT\System32\cdmsvc.exe
O23 - Service: Citrix WMI Service (CitrixWMIService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\citrix\WMI\ctxwmisvc.exe
O23 - Service: Citrix XML Service (CtxHttp) - Citrix Systems, Inc. - C:\WINNT\System32\ctxxmlss.exe
O23 - Service: Data Collector Agent (DCA Service) - PrintFleet Inc. - C:\Program Files\Data Collector Agent\DCAService.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: Encryption Service - Citrix Systems, Inc. - C:\WINNT\System32\encsvc.exe
O23 - Service: Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: MetaFrame COM Server (MFCom) - Citrix Systems, Inc. - C:\WINNT\System32\mfcom.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINNT\system32\mscdt.exe (file missing)
O23 - Service: NetBackup Client Service (NetBackup INET Daemon) - Unknown owner - C:\VERITAS\NetBackup\bin\bpinetd.exe (file missing)
O23 - Service: NetBackup Volume Manager - Unknown owner - C:\VERITAS\Volmgr\bin\bevmd.exe (file missing)
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Pervasive.SQL 2000 (relational) - Unknown owner - f:\pvsw\BIN\W3SQLMGR.EXE (file missing)
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - f:\pvsw\BIN\NTBTRV.EXE (file missing)
O23 - Service: Resource Manager Mail (ResourceManagerMail) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\IMA\MailService.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
--
End of file - 11751 bytes

*Sigh* I just connected to one of the seessions that was running on my server and found this running:

Thomas

A belated welcome to Icrontic bobgilbert,

Goodness. Quite a bit of likely active SDBot showing in this view, but hard to be completely sure what all is unwanted on this setup. We really are not geared for server repairs, and the tools we use might mistake a needed legit file or setting as badware there. Server setups most often keep a few current backups available to restore the system. Gotta assume you either are not in the practice of doing that or are unable to due to infection problems. If you have not yet resolved the issues we can take a more detailed view here, but you might (may have already) considered having a local repair service help out, where they can do direct server access for repairs.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

System Restore
Temp Cleanup
Process Modules

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

You can use extra posts here if needed for that.

bobgilbert

Thanks so much for your help!

Here are the logs that you requested:

Main.txt:

Deckard's System Scanner v20071014.68
Run by admin on 2008-06-01 18:11:16
Computer is in Normal Mode.

---

Backed up registry hives.
Performed disk cleanup.
System Drive C: has 0.37 GiB (less than 15%) free.

-- HijackThis (run as admin.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:18 PM, on 6/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\Documents and Settings\admin.KEY.000\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\Program Files\AdAware\aawservice.exe
C:\Program Files\Citrix\Installer\AgentSVC.exe
C:\WINNT\System32\ati2plxx.exe
C:\Program Files\Citrix\Installer\saginst.exe
E:\PROGRA~1\avgwdsvc.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\ctxxmlss.exe
C:\Program Files\Data Collector Agent\DCAService.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\encsvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
E:\PROGRA~1\avgam.exe
C:\WINNT\System32\locator.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\WINNT\system32\MSTask.exe
E:\PROGRA~1\avgrsx.exe
C:\WINNT\System32\lserver.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\WINNT\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\WINNT\system32\ctfmon.exe
E:\Program Files\Microsoft Dynamics\GP\Dynamics.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\ctfmon.exe
E:\PROGRA~1\avgnsx.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
E:\PROGRA~1\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\admin.KEY.000\desktop\dss.exe
E:\PROGRA~1\HiJack\admin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Win2KService] C:\WINNT\system32\nero.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
O4 - HKLM\..\RunServices: [sysppc] "C:\WINNT\system32\ras\java\svchost\svchost.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2442363778-4136686664-1775863224-1122\..\Run: [ctfmon.exe] ctfmon.exe (User 'Jan')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\admin.KEY.000\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\admin.KEY.000\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\admin.key.000\windows\system32\rnr20.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0843A48A-ADF3-4CF4-B66C-EFDE26E35926} (CWCLogoff.logoff) - http://localhost/Citrix/WebConsole/WebConsoleApp/CWClogoff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206713661562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206713650406
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = key.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F722CF7D-8013-433C-83A2-F66FA4B84D83}: NameServer = 192.168.0.2,207.191.50.10,207.191.1.10,216.251.32.100,216.251.32.101,207.115.59.241,207.69.188.185,207.155.184.72,206.173.119.72,68.52.0.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = key.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = key.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
O20 - AppInit_DLLs: RMProcessLink.dll,mfaphook.dll,avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\AdAware\aawservice.exe
O23 - Service: ADF Installer Service (ADF Installer) - Citrix Systems, Inc. - C:\Program Files\Citrix\Installer\AgentSVC.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe (file missing)
O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe (file missing)
O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe (file missing)
O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe (file missing)
O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe (file missing)
O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe (file missing)
O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe (file missing)
O23 - Service: Client Network (CdmService) - Citrix Systems, Inc. - C:\WINNT\System32\cdmsvc.exe
O23 - Service: Citrix WMI Service (CitrixWMIService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\citrix\WMI\ctxwmisvc.exe
O23 - Service: Citrix XML Service (CtxHttp) - Citrix Systems, Inc. - C:\WINNT\System32\ctxxmlss.exe
O23 - Service: Data Collector Agent (DCA Service) - PrintFleet Inc. - C:\Program Files\Data Collector Agent\DCAService.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: Encryption Service - Citrix Systems, Inc. - C:\WINNT\System32\encsvc.exe
O23 - Service: Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: MetaFrame COM Server (MFCom) - Citrix Systems, Inc. - C:\WINNT\System32\mfcom.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINNT\system32\mscdt.exe (file missing)
O23 - Service: NetBackup Client Service (NetBackup INET Daemon) - Unknown owner - C:\VERITAS\NetBackup\bin\bpinetd.exe (file missing)
O23 - Service: NetBackup Volume Manager - Unknown owner - C:\VERITAS\Volmgr\bin\bevmd.exe (file missing)
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Pervasive.SQL 2000 (relational) - Unknown owner - f:\pvsw\BIN\W3SQLMGR.EXE (file missing)
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - f:\pvsw\BIN\NTBTRV.EXE (file missing)
O23 - Service: Resource Manager Mail (ResourceManagerMail) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\IMA\MailService.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
--
End of file - 11086 bytes
-- File Associations

---

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 drvmcdb - c:\winnt\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 Otman5 (Open Transaction Manager) - c:\winnt\system32\drivers\otman5.sys <Not Verified; Columbia Data Products, Inc.; Open Transaction Manager ®>
R2 Cdm - c:\winnt\system32\drivers\cdm.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 ctxsmcdrv (Citrix SMC Support Driver) - c:\winnt\system32\drivers\ctxsmcdrv.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R3 dcdbas (System Management Driver) - c:\winnt\system32\drivers\dcdbas32.sys <Not Verified; Dell Inc.; Dell(R) Hardware Abstraction>
R3 IcaReduc - c:\winnt\system32\drivers\icareduc.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
S1 SCSIChanger - c:\winnt\system32\drivers\scsichng.sys <Not Verified; VERITAS Software; Microsoft® Windows NT(TM) Operating System>
S3 Damini (Dynamic Access Miniport) - c:\winnt\system32\drivers\daprotim.sys (file missing)
S3 dcdtvm (Systems management TVM driver) - c:\winnt\system32\drivers\dcdtvm32.sys (file missing)
S3 dset - c:\program files\dell\dset\bin\omsalite\oma\bin\nt_node\dcesm.sys (file missing)
S3 NDISHOOK (NDISHOOK Protocol Driver) - c:\linksys\printserver\ndishook.sys <Not Verified; Printing Communications Assoc., Inc.; PCA Win32 NDIS Framework (WinDis 32)>
S3 pdcrypt1 - c:\winnt\system32\drivers\pdcrypt1.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
S3 pdcrypt2 - c:\winnt\system32\drivers\pdcrypt2.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
S3 PORTACCESSOR_1 - c:\program files\dell\sysmgt\oldiags\packages\portaccessor32.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 ADF Installer (ADF Installer Service) - c:\program files\citrix\installer\agentsvc.exe <Not Verified; Citrix Systems, Inc.; Citrix Installation Manager 2.3>
R2 CdmService (Client Network) - c:\winnt\system32\cdmsvc.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 CtxHttp (Citrix XML Service) - c:\winnt\system32\ctxxmlss.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 DCA Service (Data Collector Agent) - "c:\program files\data collector agent\dcaservice.exe" <Not Verified; PrintFleet Inc.; PrintFleet™>
R2 DdsSched (Dds Scheduler Deamon) - "c:\program files\rds\ddsschednt.exe" <Not Verified; RICOH Company Ltd.; Ridoc Docuent System>
R2 Encryption Service - c:\winnt\system32\encsvc.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 IMAService (Independent Management Architecture) - c:\program files\citrix\system32\citrix\ima\imasrv.exe <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
R2 MFCom (MetaFrame COM Server) - c:\winnt\system32\mfcom.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 NSCTOP (Symantec System Center Discovery Service) - c:\program files\ssc\nsctop.exe <Not Verified; Symantec Corporation; Norton System Center>
R2 RsiSvc (Ridoc Server Information Service) - c:\program files\rds\rsisvc.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>
R2 ScanRouterDriverV2 - "c:\program files\rds\srscandr.exe" <Not Verified; Ricoh Co.,Ltd.; Server Application Program>
S2 BackupExecAgentBrowser (Backup Exec 8.x Agent Browser) - "c:\program files\veritas\backup exec\nt\benetns.exe" (file missing)
S2 BackupExecAlertServer (Backup Exec 8.x Alert Server) - "c:\program files\veritas\backup exec\nt\alertserver.exe" (file missing)
S2 BackupExecDeviceMediaService (Backup Exec 8.x Device & Media Service) - "c:\program files\veritas\backup exec\nt\pvlsvr.exe" (file missing)
S2 BackupExecJobEngine (Backup Exec 8.x Job Engine) - "c:\program files\veritas\backup exec\nt\bengine.exe" (file missing)
S2 BackupExecNamingService (Backup Exec 8.x Naming Service) - "c:\program files\veritas\backup exec\nt\benser.exe" (file missing)
S2 BackupExecNotificationServer (Backup Exec 8.x Notification Server) - "c:\program files\veritas\backup exec\nt\nsvr.exe" (file missing)
S2 BackupExecRPCService (Backup Exec 8.x Server) - "c:\program files\veritas\backup exec\nt\beserver.exe" (file missing)
S2 Intel Alert Handler - c:\winnt\system32\ams_ii\hndlrsvc.exe <Not Verified; Intel Corporation; Intel Alert Management System 2>
S2 Intel Alert Originator - c:\winnt\system32\ams_ii\iao.exe <Not Verified; Intel Corporation; Intel Alert Management System 2>
S2 Intel File Transfer - c:\winnt\system32\cba\xfr.exe <Not Verified; Intel Corporation; Intel Common Base Agent>
S2 MSpool (MS System Spooler) - c:\winnt\system32\mscdt.exe (file missing)
S2 Pervasive.SQL 2000 (relational) - "f:\pvsw\bin\w3sqlmgr.exe" (file missing)
S2 Pervasive.SQL 2000 (transactional) - "f:\pvsw\bin\ntbtrv.exe" (file missing)
S2 SOption - c:\program files\rds\soption.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>
S3 CitrixWMIService (Citrix WMI Service) - c:\program files\citrix\system32\citrix\wmi\ctxwmisvc.exe <Not Verified; Citrix Systems, Inc.; Citrix WMI Provider>
S3 NetBackup INET Daemon (NetBackup Client Service) - c:\veritas\netbackup\bin\bpinetd.exe (file missing)
S3 NetBackup Volume Manager - c:\veritas\volmgr\bin\bevmd.exe (file missing)
S3 ResourceManagerMail (Resource Manager Mail) - c:\program files\citrix\system32\citrix\ima\mailservice.exe <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
S4 HTTP FLTER - c:\winnt\system32\wnise.exe (file missing)

-- Device Manager: Disabled

---

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 Network Connection
Device ID: PCI\VEN_8086&DEV_1229&SUBSYS_009B1028&REV_08\3&13C0B0C5&0&10
Manufacturer: Intel
Name: Intel(R) PRO/100 Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1229&SUBSYS_009B1028&REV_08\3&13C0B0C5&0&10
Service: E100B

-- Process Modules

---

C:\WINNT\system32\WINLOGON.EXE (pid 356)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 53520

---

n--- C:\Program Files\Citrix\System32\scardhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 37136

---

n--- C:\WINNT\system32\ctxgina.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 94208

---

n--- C:\Program Files\Citrix\System32\ctxnotif.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 40960

---

n--- C:\Program Files\Citrix\System32\cutildll.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 41232

---

n--- C:\Program Files\Citrix\System32\brapi.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 45328

---

n--- C:\WINNT\system32\ImaMfRpc_Client.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-02 11:19:44 168208

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaSystem.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:06 33040

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaCommon.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:14 37136

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaFc.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:44:34 28944

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaPolicyApi.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\system32\svchost.exe (pid 624)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-02 18:06:14 33040

---

n--- C:\Program Files\Citrix\ICA Client\pnsson.dll
C:\WINNT\system32\svchost.exe (pid 688)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\system32\svchost.exe (pid 2088)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\system32\svchost.exe (pid 3268)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\explorer.exe (pid 2988)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2004-05-26 14:15:56 289792 --a

---

C:\WINNT\system32\MSCTF.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2001-11-27 07:10:00 20552

---

n--- C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2000-02-01 06:01:00 36864

---

n--- C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll <Not Verified; Symantec Corporation; Norton AntiVirus>
2001-10-16 22:16:28 105521

---

n--- C:\Program Files\VERITAS\Backup Exec\NT\ctxmenu.dll <Not Verified; VERITAS Software Corporation; VERITAS Backup Exec(TM) for Windows NT>
2001-11-08 02:11:00 163328

---

n--- C:\Program Files\WinAce\arcext.dll <Not Verified; e-merge GmbH; WinAce-Archiver>
2001-11-08 02:11:00 231424

---

n--- C:\Program Files\WinAce\ace.dll <Not Verified; ACE Compression Software; WinAce>
2004-01-29 08:08:23 1277952 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
2004-01-29 08:08:23 86016 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMWS.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
2004-01-29 08:08:23 49152 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\NSEXTINT.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
C:\WINNT\system32\WINLOGON.EXE (pid 4160)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 53520

---

n--- C:\Program Files\Citrix\System32\scardhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 37136

---

n--- C:\WINNT\system32\ctxgina.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 94208

---

n--- C:\Program Files\Citrix\System32\ctxnotif.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 40960

---

n--- C:\Program Files\Citrix\System32\cutildll.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 41232

---

n--- C:\Program Files\Citrix\System32\brapi.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 45328

---

n--- C:\WINNT\system32\ImaMfRpc_Client.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-02 11:19:44 168208

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaSystem.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:06 33040

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaCommon.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:14 37136

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaFc.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:44:34 28944

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaPolicyApi.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\system32\WINLOGON.EXE (pid 4000)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 53520

---

n--- C:\Program Files\Citrix\System32\scardhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 37136

---

n--- C:\WINNT\system32\ctxgina.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 94208

---

n--- C:\Program Files\Citrix\System32\ctxnotif.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 40960

---

n--- C:\Program Files\Citrix\System32\cutildll.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 41232

---

n--- C:\Program Files\Citrix\System32\brapi.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 45328

---

n--- C:\WINNT\system32\ImaMfRpc_Client.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-02 11:19:44 168208

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaSystem.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:06 33040

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaCommon.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:14 37136

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaFc.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:44:34 28944

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaPolicyApi.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\explorer.exe (pid 2172)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2004-05-26 14:15:56 289792 --a

---

C:\WINNT\system32\MSCTF.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
C:\WINNT\system32\WINLOGON.EXE (pid 2716)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 53520

---

n--- C:\Program Files\Citrix\System32\scardhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 37136

---

n--- C:\WINNT\system32\ctxgina.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 94208

---

n--- C:\Program Files\Citrix\System32\ctxnotif.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 40960

---

n--- C:\Program Files\Citrix\System32\cutildll.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 41232

---

n--- C:\Program Files\Citrix\System32\brapi.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 45328

---

n--- C:\WINNT\system32\ImaMfRpc_Client.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-02 11:19:44 168208

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaSystem.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:06 33040

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaCommon.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:14 37136

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaFc.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:44:34 28944

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaPolicyApi.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\explorer.exe (pid 3440)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\explorer.exe (pid 4340)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2001-11-08 02:11:00 163328

---

n--- C:\Program Files\WinAce\arcext.dll <Not Verified; e-merge GmbH; WinAce-Archiver>
2001-11-08 02:11:00 231424

---

n--- C:\Program Files\WinAce\ace.dll <Not Verified; ACE Compression Software; WinAce>
2001-11-27 07:10:00 20552

---

n--- C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2004-01-29 08:08:23 1277952 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
2004-01-29 08:08:23 86016 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMWS.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
2004-01-29 08:08:23 49152 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\NSEXTINT.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
2004-05-26 14:15:56 289792 --a

---

C:\WINNT\system32\MSCTF.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
C:\WINNT\system32\WINLOGON.EXE (pid 692)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 53520

---

n--- C:\Program Files\Citrix\System32\scardhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 37136

---

n--- C:\WINNT\system32\ctxgina.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 94208

---

n--- C:\Program Files\Citrix\System32\ctxnotif.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 40960

---

n--- C:\Program Files\Citrix\System32\cutildll.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 41232

---

n--- C:\Program Files\Citrix\System32\brapi.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 45328

---

n--- C:\WINNT\system32\ImaMfRpc_Client.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-02 11:19:44 168208

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaSystem.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:06 33040

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaCommon.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:19:14 37136

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaFc.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-02 11:44:34 28944

---

n--- C:\Program Files\Citrix\System32\Citrix\IMA\ImaPolicyApi.dll <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\system32\WINLOGON.EXE (pid 4784)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 53520

---

n--- C:\Program Files\Citrix\System32\scardhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\system32\WINLOGON.EXE (pid 4640)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 53520

---

n--- C:\Program Files\Citrix\System32\scardhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
C:\WINNT\explorer.exe (pid 4776)
2003-04-29 04:49:30 24984

---

n--- C:\Program Files\Citrix\System32\RMProcessLink.dll <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
2003-05-06 20:19:22 11264

---

n--- C:\WINNT\system32\mfaphook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 9216

---

n--- C:\Program Files\Citrix\System32\tzhook.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:22 135168

---

n--- C:\Program Files\Citrix\System32\cdmprov.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2003-05-06 20:19:28 37272

---

n--- C:\WINNT\system32\ctxrpc.dll <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
2004-05-26 14:15:56 289792 --a

---

C:\WINNT\system32\MSCTF.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2001-11-08 02:11:00 163328

---

n--- C:\Program Files\WinAce\arcext.dll <Not Verified; e-merge GmbH; WinAce-Archiver>
2001-11-08 02:11:00 231424

---

n--- C:\Program Files\WinAce\ace.dll <Not Verified; ACE Compression Software; WinAce>
2001-11-27 07:10:00 20552

---

n--- C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2004-01-29 08:08:23 1277952 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
2004-01-29 08:08:23 86016 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMWS.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>
2004-01-29 08:08:23 49152 --a

---

C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\NSEXTINT.DLL <Not Verified; Microsoft Corporation; SharePointPortalServer>

-- Files created between 2008-05-01 and 2008-06-01

---

2008-05-29 19:50:58 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_514.dat
2008-05-26 17:21:13 0 d

---

C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-23 08:29:27 0 d--h

---

C:\Documents and Settings\hope.KEY\Templates
2008-05-23 05:03:28 1689600 --a

---

C:\WINNT\system32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:28 1179648 --a

---

C:\WINNT\system32\d3d8.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 524800 --a

---

C:\WINNT\system32\qedit.dll
2008-05-23 05:03:26 258424 --a

---

C:\WINNT\system32\qasf.dll
2008-05-23 05:03:26 194560 --a

---

C:\WINNT\system32\mswebdvd.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-05-23 05:03:26 1769472 --a

---

C:\WINNT\system32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 203264 --a

---

C:\WINNT\system32\dpvoice.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 16896 --a

---

C:\WINNT\system32\dpnsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 377856 --a

---

C:\WINNT\system32\dpnet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:25 68096 --a

---

C:\WINNT\system32\dsdmoprp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:25 166400 --a

---

C:\WINNT\system32\dinput8.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:25 386048 --a

---

C:\WINNT\system32\diactfrm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:24 733184 --a

---

C:\WINNT\system32\qedwipes.dll
2008-05-23 05:03:24 13312 --a

---

C:\WINNT\system32\msdmo.dll
2008-05-23 05:03:24 18944 --a

---

C:\WINNT\system32\encapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:24 1189888 --a

---

C:\WINNT\system32\dx8vb.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 18432 --a

---

C:\WINNT\system32\dswave.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 186880 --a

---

C:\WINNT\system32\dsdmo.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 112128 --a

---

C:\WINNT\system32\dpvvox.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 80896 --a

---

C:\WINNT\system32\dpvsetup.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 19968 --a

---

C:\WINNT\system32\dpvacm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 3072 --a

---

C:\WINNT\system32\dpnlobby.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 68096 --a

---

C:\WINNT\system32\dpnhupnp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 32768 --a

---

C:\WINNT\system32\dpnhpast.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 3072 --a

---

C:\WINNT\system32\dpnaddr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 76800 --a

---

C:\WINNT\system32\dmscript.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:22 44032 --a

---

C:\WINNT\system32\dimap.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:22 7168 --a

---

C:\WINNT\system32\d3d8thk.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 01:15:58 0 d

---

C:\Microsoft
2008-05-23 01:11:59 0 d

---

C:\Documents and Settings\hope.KEY\Application Data\Microsoft
2008-05-23 01:11:49 0 d--h

---

C:\Documents and Settings\hope.KEY\Local Settings
2008-05-23 01:11:48 0 d---s---- C:\Documents and Settings\hope.KEY\Temporary Internet Files
2008-05-23 01:11:48 0 d---s---- C:\Documents and Settings\hope.KEY\History
2008-05-23 01:11:48 0 d--h

---

C:\Documents and Settings\hope.KEY\Cookies
2008-05-23 01:11:48 0 d--h

---

C:\Documents and Settings\hope.KEY\Application Data
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\Start Menu
2008-05-23 01:11:46 0 d--h

---

C:\Documents and Settings\hope.KEY\Recent
2008-05-23 01:11:46 0 d--h

---

C:\Documents and Settings\hope.KEY\NetHood
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\My Documents
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\Favorites
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\Desktop
2008-05-23 01:11:43 0 d

---

C:\Documents and Settings\hope.KEY\WINDOWS
2008-05-23 01:11:36 53248 --ah

---

C:\Documents and Settings\hope.KEY\ntuser.dat
2008-05-22 23:33:27 0 d

---

C:\Program Files\MSXML 6.0
2008-05-22 16:24:38 0 d--h

---

C:\$AVG8.VAULT$
2008-05-22 16:18:58 0 d

---

C:\WINNT\system32\drivers\Avg
2008-05-22 16:18:15 0 d

---

C:\Program Files\AVG
2008-05-22 16:18:14 0 d-a

---

C:\Documents and Settings\All Users\Application Data\avg8
2008-05-22 14:52:03 0 d-a

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-22 09:11:46 39424 --a

---

C:\WINNT\system32\xsys.dll <Not Verified; influenced.net; moo.dll>
2008-05-22 09:11:46 162816 --a

---

C:\WINNT\system32\wget.exe
2008-05-22 09:11:46 190 --a

---

C:\WINNT\system32\start.bat
2008-05-22 09:11:46 53248 --a

---

C:\WINNT\system32\scansql.exe
2008-05-22 09:11:46 23 --a

---

C:\WINNT\system32\rdate
2008-05-22 09:11:46 37376 --a

---

C:\WINNT\system32\psexec.exe <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-22 09:11:46 716 --a

---

C:\WINNT\system32\dxn17.dll
2008-05-22 09:11:46 10 --a

---

C:\WINNT\system32\bot.dll
2008-05-22 09:11:45 29696 --a

---

C:\WINNT\system32\Libparse.exe
2008-05-22 09:11:45 176 --a

---

C:\WINNT\system32\KAHOL.bat
2008-05-22 09:11:45 1634 --a

---

C:\WINNT\system32\find.bat
2008-05-22 09:11:45 118 --a

---

C:\WINNT\system32\edit.BAT
2008-05-14 09:25:35 0 d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP

-- Find3M Report

---

2008-05-30 20:12:01 419488 ---h

---

C:\WINNT\ShellIconCache
2008-05-29 13:24:36 0 d-a

---

C:\Program Files\Common Files
2008-05-27 08:02:36 537 --a

---

C:\Documents and Settin
2008-05-26 17:17:54 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 12:23:55 537 --a

---

C:\Documents and Sett
2008-05-23 04:10:44 0 d-a

---

C:\Program Files\Symantec
2008-05-23 04:10:25 0 d-a

---

C:\Program Files\LiveUpdate Administration
2008-05-22 23:16:45 0 d

---

C:\Program Files\Dell
2008-05-22 10:07:39 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4e8.dat
2008-03-27 17:08:58 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4f4.dat
2008-03-27 15:38:25 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4dc.dat
2008-03-13 14:43:00 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4d0.dat

-- Registry Dump

---

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="Atiptaxx.exe" [09/05/00 10:57a C:\WINNT\system32\atiptaxx.exe]
"Tweak UI"="TWEAKUI.CPL" [06/18/00 01:03p C:\WINNT\system32\TWEAKUI.CPL]
"IcaBar"="icabar.exe" [05/06/03 08:19p C:\Program Files\Citrix\System32\icabar.exe]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [11/16/01 08:23p]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [11/04/00 08:09p]
"Win2KService"="C:\WINNT\system32\nero.exe" []
"AVG8_TRAY"="E:\PROGRA~1\avgtray.exe" [05/22/08 04:18p]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 12:09p C:\WINNT\system32\CTFMON.EXE]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"sysppc"="C:\WINNT\system32\ras\java\svchost\svchost.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [8/28/2007 11:49:12 AM]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [4/8/2004 7:25:48 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"NoFileAssociate"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit,nddeagnt.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MetaFrame]
ctxnotif.dll 05/06/03 08:19p 94208 C:\Program Files\Citrix\System32\ctxnotif.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=RMProcessLink.dll,mfaphook.dll,avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT RASSFM KDCSVC scecli
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@=&quot;Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@=&quot;Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv


-- End of Deckard's System Scanner: finished at 2008-06-01 18:15:07

---

bobgilbert

Had to post in two seperate replies because the text was too long:

Extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

---

-- System Information

---

Microsoft Windows 2000 Server (build 2195) SP 4.0
Architecture: X86; Language: English
CPU 0: Intel Pentium III processor
CPU 1: Intel Pentium III processor
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 767.54 MiB / 200.43 MiB
Pagefile Memory (total/avail): 1491.13 MiB / 757.64 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1953.45 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 5.85 GiB total, 0.37 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 27.86 GiB total, 5.7 GiB free.
F: is Network (NTFS)
G: is Network (NTFS)
I: is Network (NTFS)
K: is Network (NTFS)
N: is Network (NTFS)
P: is Network (Unformatted)
W: is Network (NTFS)
X: is Network (NTFS)
Z: is Network (NTFS)
[URL="file://./PHYSICALDRIVE0"]\\.\PHYSICALDRIVE0[/URL] - PERC LD 0 PERCRAID SCSI Disk Device - 33.74 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 5.85 GiB - C:
\PARTITION2 - Installable File System - 27.86 GiB - E:

-- Security Center

---

AUOptions is disabled.

-- Environment Variables

---

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\admin.KEY.000\Application Data
CLASSPATH=f:\pvsw\BIN\PVJDBC2X.JAR;f:\pvsw\BIN\PVJDBC2.JAR
CLIENTNAME=SCOTTS
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KEYSERVER
ComSpec=C:\WINNT\system32\cmd.exe
DSETPATH=C:\Program Files\Dell\DSET
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\admin.KEY.000
LOGONSERVER=\\KEYSERVER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=f:\pvsw\BIN;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Citrix\System32\Citrix\IMA;C:\Program Files\Citrix\System32\Citrix\IMA\Subsystems;C:\WINNT\System32\Citrix\IMA;C:\Program Files\Citrix\system32;C:\Program Files\Citrix\SSLRelay;C:\Program Files\Dell\OpenManage\Array Manager
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PERVASIVE_PATH=f:\pvsw\BIN
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
PWRCHUTE=C:\Program Files\Pwrchute
SESSIONNAME=RDP-Tcp#14
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINK~1.000\LOCALS~1\Temp\c
TMP=C:\DOCUME~1\ADMINK~1.000\LOCALS~1\Temp\c
USERDNSDOMAIN=key.com
USERDOMAIN=KEY
USERNAME=admin
USERPROFILE=C:\Documents and Settings\admin.KEY.000
VSL=f:\pvsw\BIN
windir=C:\WINNT

-- User Profiles

---

tsinternetuser (admin)
steve (admin)
randy.KEY (admin)
jan.KEY (admin)
admin.KEY.000 (admin)
maryanne (admin)
melissa
mike (admin)
rebecca
laura (admin)
jan.KEY.000 (admin)
test
test2 (new local, net ready)
test3
perry
Lori
roxanne (new local, admin, net ready)
quilogy (admin)
TestRem (new local, admin, net ready)
IWAM_KEYSERVER (new local, guest)
angela
Larry
michelle
meredith
genny
mike.KEY
randy.KEY.000 (admin)
centralkansas
misty
allison
faxoverflow
quilogy.KEY.000 (admin)
jenifer
Lyndsay
anne.KEY
beth
christy
michelle
Rachael
jen (new local, admin, net ready)
mike (admin)
hope.KEY (admin)
julye
molly
anne
julye.KEY (admin)
Cindy
test.KEY (new local, admin, net ready)
jack$ (new local, admin, net ready)
jent (new local, admin, net ready)
moly (new local, admin, net ready)
mol1y (new local, admin, net ready)
mikeo (admin)
mikeo.KEY (new local, admin, net ready)
kecfol$ (new local, admin, net ready)
Administrator.KEYSERVER.000 (admin)
admin.KEY (new local, admin, net ready)
administrator.KEYSERVER (admin)
admin (admin)
jan (admin)
Randy (admin)
Administrator (admin)

-- Add/Remove Programs

---

Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> "C:\DOCUMENTS AND SETTINGS\ADMIN.KEY.000\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
AMS Server --> C:\WINNT\IsUninst.exe -f"C:\Program Files\NAV\AMSSERVR.isu" -c"C:\Program Files\NAV\AMSCust.dll"
ATI Display Driver --> rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -inf_class:DISPLAY -clean
AVG 8.0 --> E:\Program Files\setup.exe /UNINSTALL
Backup Exec Open File Option --> C:\WINNT\IsUninst.exe -f"C:\Program Files\VERITAS\Backup Exec\NT\OfoUninst.isu" -cC:\PROGRA~1\VERITAS\BACKUP~1\NT\ofouninst.dll
Bi-Admin --> C:\WINNT\IsUninst.exe -fC:\Linksys\printserver\Uninst.isu
bxAutoZip 1.11 --> C:\Program Files\bxAutoZip\uninstall.exe
Citrix MetaFrame XP Server for Windows with Feature Release 3 --> MsiExec.exe /I{05095D7E-4BA8-405F-A751-5C5C18BF5045}
Citrix Web Console --> MsiExec.exe /I{0142860E-3EEC-4F99-8563-54318DE11458}
Crystal Reports for .NET Framework 2.0 (x86) --> MsiExec.exe /I{7C05EEDD-E565-4E2B-ADE4-0C784C17311C}
Data Collector Agent --> MsiExec.exe /X{DAAC48B7-9C1C-434F-BDC4-1239AEDD56E3}
Debugging Tools for Windows --> MsiExec.exe /I{F3ECED46-91CC-4F44-9917-9A20085D5D26}
Dell PowerEdge Diagnostics 2.7 --> C:\Program Files\PowerEdge Diagnostics\uninst.exe
Dell Server E-Support Tool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAE678F7-E46D-4C45-A52C-0A7A567E6516}\Setup.exe" -l0x9 Uninstall
Dell Software Uninstall --> C:\Program Files\Dell_HostCD\Install\x86\Uninstall.exe
Deploy --> MsiExec.exe /I{A9468485-4EF4-48D6-841B-41BAE6CFD131}
Device drivers for removable storage --> C:\WINNT\System32\DRVWUNIN.exe /DELCDB
FRx 6.5 E:\Server\Dyndata\FRX65 --> "C:\Program Files\InstallShield Installation Information\guid.exe" -uninstall -guid"{EEF1B53C-405E-44C7-A4FC-D62730A3114A}_0"
FRx 6.5 Service Pack --> E:\Server\Dyndata\FRX65\UNWISE.EXE E:\Server\Dyndata\FRX65\INSTALL.LOG
FRx 6.7 (E:\Program Files) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1BD59A54-97D0-45A1-86CA-96D182405FA2}\Setup.exe" -l0x9
FRx 6.7 Connection Manager for Microsoft Dynamics --> MsiExec.exe /I{80717873-4C15-401F-8B5B-6A0B7FACC2E6}
Greenshades Center --> MsiExec.exe /I{3C668A41-BE9E-488C-AB17-2A9699EE5773}
Greenshades Updater --> MsiExec.exe /I{1CDE2021-D9EB-4BDC-8282-6320312C3BAC}
HijackThis 2.0.2 --> "E:\Program Files\HiJack\HijackThis.exe" /uninstall
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
Java 2 Runtime Environment Standard Edition v1.2.2 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.2\Uninst.isu"
Java 2 Runtime Environment, SE v1.4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD0159C9-17FB-11D6-A76A-00B0D079AF64}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Linksys PrintServer Driver --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Linksys\PrintDriver\Uninst.isu"
Medicare Claims Express 3.0 --> MsiExec.exe /I{06EA0882-6922-4856-8D51-26920A99669B}
Microsoft .NET Framework (English) --> MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework (English) v1.0.3705 --> C:\WINNT\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework 1.0 Hotfix (KB928367) --> "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Business Solutions-Great Plains 7.50 --> C:\Documents and Settings\admin.KEY.000\WINDOWS\IsUninst.exe -f"E:\Program Files\Dynamics\DeIsL1.isu" -c"E:\Program Files\Dynamics\UNINST.dll"
Microsoft Business Solutions Human Resources for Great Plains 7.50 --> C:\Documents and Settings\admin.KEY.000\WINDOWS\IsUninst.exe -f"E:\Program Files\Dynamics\HRPUnin.isu"
Microsoft Internet Explorer Administration Kit 5 --> rundll32 advpack.dll,LaunchINFSection ieak5.inf,IEAK.Uninstall
Microsoft Office 2000 Resource Kit Tools and Utilities --> MsiExec.exe /I{EF5F8554-0001-11d2-92F2-00104BC947F0}
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NETGEAR Print Server Software --> C:\WINNT\IsUninst.exe -f"C:\Program Files\NETGEAR Print Server\Uninst.isu"
Nucleus Kernel Undelete ver 4.02 --> "E:\Program Files\Nucleus Kernel Undelete\unins000.exe"
PC-ACE Pro32 Claims Processing System --> F:\WINPCACE\UNINSTOK.EXE F:\WINPCACE\INSTALL.LOG
Pervasive.SQL 2000i NT Server --> C:\WINNT\IsUninst.exe -ff:\pvsw\DeIsL5.isu -c"f:\pvsw\W32PATUN.DLL" -x"Pervasive.SQL 2000i NT Server (SP4)"
Pervasive.SQL 2000i NT Server (SP4) --> C:\WINNT\IsUninst.exe -ff:\pvsw\UnIs_SP4.isu -c"f:\pvsw\W32PATUN.DLL" -ppNTSRV -sys"C:\WINNT\System32\"-bv2000SP3
PowerChute plus 5.2.1 --> C:\WINNT\uninst.exe -f"C:\Program Files\Pwrchute\DeIsL1.isu" -c"C:\Program Files\Pwrchute\uninst.dll
QuickBooks Premier Edition 2003 --> C:\Program Files\Installshield Installation Information\{237a4b24-78c4-11d6-a394-00104bd190b1}\QBReplace.exe {237a4b24-78c4-11d6-a394-00104bd190b1}#{AD46C591-FB19-11D5-A316-00104BD190B1}
QWS3270 Freeware --> MsiExec.exe /X{22968FCB-37BD-4F1B-A86F-5BDC73602B6A}
Remote Desktop Connection --> MsiExec.exe /X{60B9A48D-559E-43FA-8F28-D657190E4E52}
ScanRouter V2 Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{387D6CC5-6D6C-4BA0-8EAF-955813BFC5D8}\setup.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
SmartNetMonitor for Admin --> C:\WINNT\IsUninst.exe -f"C:\Program Files\RMAdmin\UninstA.isu" -c"C:\Program Files\RMAdmin\_PMAEND.DLL"
SmartNetMonitor for Client --> C:\WINNT\IsUninst.exe -f"C:\Program Files\RMClient\UninstC.isu" -c"C:\Program Files\RMClient\_PMCEND.DLL"
Spybot - Search & Destroy --> "E:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "E:\Program Files\SpywareBlaster\unins000.exe"
Symantec System Center --> C:\WINNT\IsUninst.exe -f"C:\Program Files\SSC\SSCAD_UN.isu" -c"C:\Program Files\SSC\ConsInst.dll"
Tweak UI --> C:\WINNT\rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 4 C:\WINNT\Inf\Tweakui.Inf
VisionShare SESD Interactive 3.1.6 --> E:\Program Files\VisionShare\SESD Interactive\uninstall.exe
WinAce Archiver 2.0 --> C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Windows 2000 Administration Tools --> MsiExec.exe /I{B7298620-EAC6-11D1-8F87-0060082EA63E}
Windows 2000 Application Compatibility Update --> C:\WINNT\AppPatch\wuinst.exe -u
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

-- Application Event Log

---

Event Record #/Type351628 / Error
Event Submitted/Written: 05/29/2008 01:20:01 PM
Event ID/Source: 1012 / Winlogon
Event Description:
The automatic certificate enrollment subsystem could not access local resources needed for enrollment.
Enrollment will not be performed. (0x80070005) Access is denied.
Event Record #/Type351627 / Error
Event Submitted/Written: 05/29/2008 02:45:15 AM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "PerfOS"
in the "C:\WINNT\system32\perfos.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.
Event Record #/Type351626 / Error
Event Submitted/Written: 05/28/2008 04:38:54 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "ASP.NET" in DLL "C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.
Event Record #/Type351625 / Error
Event Submitted/Written: 05/28/2008 02:24:49 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "ASP.NET" in DLL "C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.
Event Record #/Type351624 / Error
Event Submitted/Written: 05/28/2008 02:24:34 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "ASP.NET_1.0.3705.6060" in DLL "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.

-- Security Event Log

---

No Errors/Warnings found.

-- System Event Log

---

Event Record #/Type637706 / Warning
Event Submitted/Written: 06/01/2008 06:14:08 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.
Event Record #/Type637705 / Warning
Event Submitted/Written: 06/01/2008 06:13:59 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.
Event Record #/Type637704 / Warning
Event Submitted/Written: 06/01/2008 06:13:56 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.
Event Record #/Type637703 / Error
Event Submitted/Written: 06/01/2008 06:13:45 PM
Event ID/Source: 1106 / TermServDevices
Event Description:
The printer could not be installed.
Event Record #/Type637702 / Error
Event Submitted/Written: 06/01/2008 06:13:45 PM
Event ID/Source: 1111 / TermServDevices
Event Description:
Driver RICOH Aficio MP 161 RPCS required for printer RICOH Aficio MP 161 RPCS is unknown. Contact the administrator to install the driver before you log in again.

-- End of Deckard's System Scanner: finished at 2008-06-01 18:15:07

---

Thomas

Hmm - one of the few malwares that actually creates a Winnt folder, infecting........ one of the few OS's that run from a Winnt folder. On other systems that surely would stick out like a sore thumb. And very old and very vulnerable java version there, which this malware has used to it's advantage.

Since a fair bit of this infection is documented, and some of that matches what is showing here, perhaps a safe enough move would be to remove/change what is known. This way to potential for error with legit files might occur. Use whatever backup means you do use there to store one now, and please understand it is your choice to do these repair steps. Admittedly I did not put together these repairs casually, and do not suggest them without considering alternatives.

First follow the steps here to disable SpyBot's TeaTimer, as it will interfere with the repairs. Be sure to do all the steps, including the required reboot. If you have any difficulties accomplishing those then please go ahead and uninstall SpyBot - TeaTimer has been causing too many problems in repairs to make it worth any extra effort while we do them. You can always reinstall it after if you choose to.

And to keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Go to Start > Run and type

cmd

and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line

sc config MSpool start= disabled
sc config HTTP FLTER start= disabled

Type Exit to close.

---

Download OTMoveIt2 by OldTimer to your desktop.

Then click OTMoveIt2.exe to run it (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator").

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

c:\winnt\system32\bot.dll
c:\winnt\system32\control.ini
c:\winnt\system32\devcheck.exe
c:\winnt\system32\dxn17.dll
c:\winnt\system32\edit.BAT
c:\winnt\system32\edu.ini
c:\winnt\system32\find.bat
c:\winnt\system32\il.dbx
c:\winnt\system32\ipcpass.dic
c:\winnt\system32\IpcScan.exe
c:\winnt\system32\KAHOL.bat
c:\winnt\system32\Libparse.exe
c:\winnt\system32\lock.bat
c:\winnt\system32\mscdt.exe
c:\winnt\system32\nero.exe
c:\winnt\system32\nero.inf
c:\winnt\system32\neroupdate.ini
c:\winnt\system32\osql.exe
c:\winnt\system32\psexec.exe
c:\winnt\system32\random.ini
c:\winnt\system32\rdate
c:\winnt\system32\scansql.exe
c:\winnt\system32\sqlpass.dic
c:\winnt\system32\start.bat
c:\winnt\system32\systemspool.ocx
c:\winnt\system32\SystemSpool_dll.ocx
c:\winnt\system32\wget.exe
c:\winnt\system32\xsys.dll
C:\WINNT\system32\ras\java\svchost\svchost.exe
c:\winnt\system32\wnise.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes" (it very likely will).

---

Then fortunately BitDefender both works with Win 2003 and has some of this malware listed in it's database. Disable your antivirus program (remember to re-enable it once this scan is complete) and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export the scan report". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.

---

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the BitDefender log and the OTMoveIt log please.

bobgilbert

Thanks again for your input and to clarify, I do appreciate the risks that may be involved with some of these fixes and would in no way hold you responsible if something goes wrong. Also, I am making backups of the data that I need if all hell breaks loose.

It will likely be a day or two until I can get this all done and do the required reboots, etc. so please be patient and I will check back with those logs ASAP.

Thanks again!

Thomas

I get email notifications of responses, so when you are ready post back results and we can review then.

bobgilbert

Here is my OTMoveIt log, more results coming soon:

LoadLibrary failed for c:\winnt\system32\bot.dll
c:\winnt\system32\bot.dll NOT unregistered.
c:\winnt\system32\bot.dll moved successfully.
c:\winnt\system32\control.ini moved successfully.
File/Folder c:\winnt\system32\devcheck.exe not found.
LoadLibrary failed for c:\winnt\system32\dxn17.dll
c:\winnt\system32\dxn17.dll NOT unregistered.
c:\winnt\system32\dxn17.dll moved successfully.
c:\winnt\system32\edit.BAT moved successfully.
c:\winnt\system32\edu.ini moved successfully.
c:\winnt\system32\find.bat moved successfully.
File/Folder c:\winnt\system32\il.dbx not found.
c:\winnt\system32\ipcpass.dic moved successfully.
File/Folder c:\winnt\system32\IpcScan.exe not found.
c:\winnt\system32\KAHOL.bat moved successfully.
c:\winnt\system32\Libparse.exe moved successfully.
File/Folder c:\winnt\system32\lock.bat not found.
File/Folder c:\winnt\system32\mscdt.exe not found.
File/Folder c:\winnt\system32\nero.exe not found.
c:\winnt\system32\nero.inf moved successfully.
c:\winnt\system32\neroupdate.ini moved successfully.
c:\winnt\system32\osql.exe moved successfully.
c:\winnt\system32\psexec.exe moved successfully.
c:\winnt\system32\random.ini moved successfully.
c:\winnt\system32\rdate moved successfully.
c:\winnt\system32\scansql.exe moved successfully.
c:\winnt\system32\sqlpass.dic moved successfully.
c:\winnt\system32\start.bat moved successfully.
LoadLibrary failed for c:\winnt\system32\systemspool.ocx
c:\winnt\system32\systemspool.ocx NOT unregistered.
c:\winnt\system32\systemspool.ocx moved successfully.
LoadLibrary failed for c:\winnt\system32\SystemSpool_dll.ocx
c:\winnt\system32\SystemSpool_dll.ocx NOT unregistered.
c:\winnt\system32\SystemSpool_dll.ocx moved successfully.
c:\winnt\system32\wget.exe moved successfully.
DllUnregisterServer procedure not found in c:\winnt\system32\xsys.dll
c:\winnt\system32\xsys.dll NOT unregistered.
c:\winnt\system32\xsys.dll moved successfully.
File/Folder C:\WINNT\system32\ras\java\svchost\svchost.exe not found.
File/Folder c:\winnt\system32\wnise.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06052008_105111

Thomas

So I won't miss which post is your last one, try instead now to do all the steps, then post the remainder all at once.

bobgilbert

Sorry, that makes sense. Thanks for your patience, as you know from my post count I am the definition of a newbie.

Here is my progress folling the steps that you provided:

I was unable to get the SC config command working but I did kill the services that you referred to. I stopped HTTP Filter (Wnise.exe) some time after I posted the original HijackThis log and I deleted wnise.exe. I stopped MSpool and deleted the associated msdtc.exe (I had to download KillThis to make it stop so that I could then delete the exe)

Here is my OTMoveThis log:

LoadLibrary failed for c:\winnt\system32\bot.dll
c:\winnt\system32\bot.dll NOT unregistered.
c:\winnt\system32\bot.dll moved successfully.
c:\winnt\system32\control.ini moved successfully.
File/Folder c:\winnt\system32\devcheck.exe not found.
LoadLibrary failed for c:\winnt\system32\dxn17.dll
c:\winnt\system32\dxn17.dll NOT unregistered.
c:\winnt\system32\dxn17.dll moved successfully.
c:\winnt\system32\edit.BAT moved successfully.
c:\winnt\system32\edu.ini moved successfully.
c:\winnt\system32\find.bat moved successfully.
File/Folder c:\winnt\system32\il.dbx not found.
c:\winnt\system32\ipcpass.dic moved successfully.
File/Folder c:\winnt\system32\IpcScan.exe not found.
c:\winnt\system32\KAHOL.bat moved successfully.
c:\winnt\system32\Libparse.exe moved successfully.
File/Folder c:\winnt\system32\lock.bat not found.
File/Folder c:\winnt\system32\mscdt.exe not found.
File/Folder c:\winnt\system32\nero.exe not found.
c:\winnt\system32\nero.inf moved successfully.
c:\winnt\system32\neroupdate.ini moved successfully.
c:\winnt\system32\osql.exe moved successfully.
c:\winnt\system32\psexec.exe moved successfully.
c:\winnt\system32\random.ini moved successfully.
c:\winnt\system32\rdate moved successfully.
c:\winnt\system32\scansql.exe moved successfully.
c:\winnt\system32\sqlpass.dic moved successfully.
c:\winnt\system32\start.bat moved successfully.
LoadLibrary failed for c:\winnt\system32\systemspool.ocx
c:\winnt\system32\systemspool.ocx NOT unregistered.
c:\winnt\system32\systemspool.ocx moved successfully.
LoadLibrary failed for c:\winnt\system32\SystemSpool_dll.ocx
c:\winnt\system32\SystemSpool_dll.ocx NOT unregistered.
c:\winnt\system32\SystemSpool_dll.ocx moved successfully.
c:\winnt\system32\wget.exe moved successfully.
DllUnregisterServer procedure not found in c:\winnt\system32\xsys.dll
c:\winnt\system32\xsys.dll NOT unregistered.
c:\winnt\system32\xsys.dll moved successfully.
File/Folder C:\WINNT\system32\ras\java\svchost\svchost.exe not found.
File/Folder c:\winnt\system32\wnise.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06052008_105111


Here is my BitDefender log:

BitDefender Online Scanner


Scan report generated at: Thu, Jun 05, 2008 - 16:00:15



Scan path: A:\;C:\;D:\;E:\;





Statistics
Time
05:15:49
Files
263208
Folders
7695
Boot Sectors
4
Archives
2493
Packed Files
11726


Results
Identified Viruses
11
Infected Files
11
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
11


Engines Info
Virus Definitions
1256368
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
16
Archive plugins
42
Unpack plugins
7
E-mail plugins
6
System plugins
5


Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions

Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes


Scanned File

Status

C:\Documents and Settings\admin.KEY.000\Local Settings\Application Data\Identities\{61CB31D4-6E2F-4FBD-B989-66D875672B09}\Microsoft\Outlook Express\Inbox.dbx=>(message 20): Undelivered Mail Returned to Sender
Infected with: Html.Bofra.D
C:\Documents and Settings\admin.KEY.000\Local Settings\Application Data\Identities\{61CB31D4-6E2F-4FBD-B989-66D875672B09}\Microsoft\Outlook Express\Inbox.dbx=>(message 20): Undelivered Mail Returned to Sender
Disinfection failed
C:\Documents and Settings\admin.KEY.000\Local Settings\Application Data\Identities\{61CB31D4-6E2F-4FBD-B989-66D875672B09}\Microsoft\Outlook Express\Inbox.dbx=>(message 20): Undelivered Mail Returned to Sender
Deleted
C:\Documents and Settings\admin.KEY.000\Local Settings\Application Data\Identities\{61CB31D4-6E2F-4FBD-B989-66D875672B09}\Microsoft\Outlook Express\Inbox.dbx
Updated
C:\QUARANTINE\sipal.exe
Detected with: Spyware.Procview.A
C:\QUARANTINE\sipal.exe
Deleted
C:\WINNT\system32\spool\dosusal.exe
Infected with: Backdoor.Mirc.BV
C:\WINNT\system32\spool\dosusal.exe
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\edit.BAT
Infected with: Trojan.Bat.Ircflood.H
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\edit.BAT
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\find.bat
Infected with: Trojan.Bat.Ircflood.I
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\find.bat
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\KAHOL.bat
Infected with: Trojan.Bat.Ircflood.S
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\KAHOL.bat
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\Libparse.exe
Detected with: Application.Prcview.AC
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\Libparse.exe
Disinfection failed
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\Libparse.exe
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\psexec.exe
Detected with: Application.PsExec.A
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\psexec.exe
Disinfection failed
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\psexec.exe
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\scansql.exe
Detected with: Application.Hacktool.SQLScan.A
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\scansql.exe
Disinfection failed
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\scansql.exe
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\start.bat
Infected with: BAT.Zapchast.C
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\start.bat
Disinfection failed
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\start.bat
Deleted
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\xsys.dll
Detected with: Spyware.MOO
C:\_OTMoveIt\MovedFiles\06052008_105111\winnt\system32\xsys.dll
Deleted


Here is the main.txt from the DSS:

Deckard's System Scanner v20071014.68
Run by admin on 2008-06-05 17:30:46
Computer is in Normal Mode.

---

System Drive C: has 0.32 GiB (less than 15%) free.

-- HijackThis (run as admin.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:03 PM, on 6/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\Documents and Settings\admin.KEY.000\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\Program Files\AdAware\aawservice.exe
C:\Program Files\Citrix\Installer\AgentSVC.exe
C:\Program Files\Citrix\Installer\saginst.exe
C:\WINNT\System32\ati2plxx.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\ctxxmlss.exe
C:\Program Files\Data Collector Agent\DCAService.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\encsvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\RDS\srscandr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RDS\ddsschednt.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\WINNT\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
C:\WINNT\system32\ctfmon.exe
E:\PROGRA~1\AVG\avgwdsvc.exe
E:\PROGRA~1\AVG\avgam.exe
E:\PROGRA~1\AVG\avgrsx.exe
E:\PROGRA~1\AVG\avgemc.exe
E:\Program Files\AVG\avgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\AVG\aAvgApi.exe
C:\WINNT\system32\winlogon.exe
C:\Documents and Settings\admin.KEY.000\Desktop\OTMoveIt2.exe
C:\WINNT\system32\taskmgr.exe
E:\PROGRA~1\AVG\avgnsx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\mmc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\admin.KEY.000\desktop\dss.exe
E:\PROGRA~1\HiJack\admin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVGTOO~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Win2KService] C:\WINNT\system32\nero.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\avgtray.exe
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky\avp.exe"
O4 - HKLM\..\RunServices: [sysppc] "C:\WINNT\system32\ras\java\svchost\svchost.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2442363778-4136686664-1775863224-1122\..\Run: [ctfmon.exe] ctfmon.exe (User 'Jan')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Documents and Settings\admin.KEY.000\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Documents and Settings\admin.KEY.000\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\admin.KEY.000\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\admin.KEY.000\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\admin.key.000\windows\system32\rnr20.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0843A48A-ADF3-4CF4-B66C-EFDE26E35926} (CWCLogoff.logoff) - http://localhost/Citrix/WebConsole/WebConsoleApp/CWClogoff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206713661562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206713650406
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = key.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F722CF7D-8013-433C-83A2-F66FA4B84D83}: NameServer = 192.168.0.2,207.191.50.10,207.191.1.10,216.251.32.100,216.251.32.101,207.115.59.241,207.69.188.185,207.155.184.72,206.173.119.72,68.52.0.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = key.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = key.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\avgpp.dll
O20 - AppInit_DLLs: RMProcessLink.dll,mfaphook.dll,avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\AdAware\aawservice.exe
O23 - Service: ADF Installer Service (ADF Installer) - Citrix Systems, Inc. - C:\Program Files\Citrix\Installer\AgentSVC.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky\avp.exe
O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe (file missing)
O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe (file missing)
O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe (file missing)
O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe (file missing)
O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe (file missing)
O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe (file missing)
O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - Unknown owner - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe (file missing)
O23 - Service: Client Network (CdmService) - Citrix Systems, Inc. - C:\WINNT\System32\cdmsvc.exe
O23 - Service: Citrix WMI Service (CitrixWMIService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\citrix\WMI\ctxwmisvc.exe
O23 - Service: Citrix XML Service (CtxHttp) - Citrix Systems, Inc. - C:\WINNT\System32\ctxxmlss.exe
O23 - Service: Data Collector Agent (DCA Service) - PrintFleet Inc. - C:\Program Files\Data Collector Agent\DCAService.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: Encryption Service - Citrix Systems, Inc. - C:\WINNT\System32\encsvc.exe
O23 - Service: Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: MetaFrame COM Server (MFCom) - Citrix Systems, Inc. - C:\WINNT\System32\mfcom.exe
O23 - Service: NetBackup Client Service (NetBackup INET Daemon) - Unknown owner - C:\VERITAS\NetBackup\bin\bpinetd.exe (file missing)
O23 - Service: NetBackup Volume Manager - Unknown owner - C:\VERITAS\Volmgr\bin\bevmd.exe (file missing)
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Pervasive.SQL 2000 (relational) - Unknown owner - f:\pvsw\BIN\W3SQLMGR.EXE (file missing)
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - f:\pvsw\BIN\NTBTRV.EXE (file missing)
O23 - Service: Resource Manager Mail (ResourceManagerMail) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\IMA\MailService.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
--
End of file - 11902 bytes
-- File Associations

---

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 drvmcdb - c:\winnt\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 Otman5 (Open Transaction Manager) - c:\winnt\system32\drivers\otman5.sys <Not Verified; Columbia Data Products, Inc.; Open Transaction Manager ®>
R2 Cdm - c:\winnt\system32\drivers\cdm.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 ctxsmcdrv (Citrix SMC Support Driver) - c:\winnt\system32\drivers\ctxsmcdrv.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R3 dcdbas (System Management Driver) - c:\winnt\system32\drivers\dcdbas32.sys <Not Verified; Dell Inc.; Dell(R) Hardware Abstraction>
R3 IcaReduc - c:\winnt\system32\drivers\icareduc.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
S1 SCSIChanger - c:\winnt\system32\drivers\scsichng.sys <Not Verified; VERITAS Software; Microsoft® Windows NT(TM) Operating System>
S3 Damini (Dynamic Access Miniport) - c:\winnt\system32\drivers\daprotim.sys (file missing)
S3 dcdtvm (Systems management TVM driver) - c:\winnt\system32\drivers\dcdtvm32.sys (file missing)
S3 dset - c:\program files\dell\dset\bin\omsalite\oma\bin\nt_node\dcesm.sys (file missing)
S3 NDISHOOK (NDISHOOK Protocol Driver) - c:\linksys\printserver\ndishook.sys <Not Verified; Printing Communications Assoc., Inc.; PCA Win32 NDIS Framework (WinDis 32)>
S3 pdcrypt1 - c:\winnt\system32\drivers\pdcrypt1.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
S3 pdcrypt2 - c:\winnt\system32\drivers\pdcrypt2.sys <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
S3 PORTACCESSOR_1 - c:\program files\dell\sysmgt\oldiags\packages\portaccessor32.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 ADF Installer (ADF Installer Service) - c:\program files\citrix\installer\agentsvc.exe <Not Verified; Citrix Systems, Inc.; Citrix Installation Manager 2.3>
R2 CdmService (Client Network) - c:\winnt\system32\cdmsvc.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 CtxHttp (Citrix XML Service) - c:\winnt\system32\ctxxmlss.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 DCA Service (Data Collector Agent) - "c:\program files\data collector agent\dcaservice.exe" <Not Verified; PrintFleet Inc.; PrintFleet™>
R2 DdsSched (Dds Scheduler Deamon) - "c:\program files\rds\ddsschednt.exe" <Not Verified; RICOH Company Ltd.; Ridoc Docuent System>
R2 Encryption Service - c:\winnt\system32\encsvc.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 IMAService (Independent Management Architecture) - c:\program files\citrix\system32\citrix\ima\imasrv.exe <Not Verified; Citrix Systems, Inc.; Citrix Independent Management Architecture>
R2 MFCom (MetaFrame COM Server) - c:\winnt\system32\mfcom.exe <Not Verified; Citrix Systems, Inc.; Citrix MetaFrame XP>
R2 NSCTOP (Symantec System Center Discovery Service) - c:\program files\ssc\nsctop.exe <Not Verified; Symantec Corporation; Norton System Center>
R2 RsiSvc (Ridoc Server Information Service) - c:\program files\rds\rsisvc.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>
R2 ScanRouterDriverV2 - "c:\program files\rds\srscandr.exe" <Not Verified; Ricoh Co.,Ltd.; Server Application Program>
S2 BackupExecAgentBrowser (Backup Exec 8.x Agent Browser) - "c:\program files\veritas\backup exec\nt\benetns.exe" (file missing)
S2 BackupExecAlertServer (Backup Exec 8.x Alert Server) - "c:\program files\veritas\backup exec\nt\alertserver.exe" (file missing)
S2 BackupExecDeviceMediaService (Backup Exec 8.x Device & Media Service) - "c:\program files\veritas\backup exec\nt\pvlsvr.exe" (file missing)
S2 BackupExecJobEngine (Backup Exec 8.x Job Engine) - "c:\program files\veritas\backup exec\nt\bengine.exe" (file missing)
S2 BackupExecNamingService (Backup Exec 8.x Naming Service) - "c:\program files\veritas\backup exec\nt\benser.exe" (file missing)
S2 BackupExecNotificationServer (Backup Exec 8.x Notification Server) - "c:\program files\veritas\backup exec\nt\nsvr.exe" (file missing)
S2 BackupExecRPCService (Backup Exec 8.x Server) - "c:\program files\veritas\backup exec\nt\beserver.exe" (file missing)
S2 Intel Alert Handler - c:\winnt\system32\ams_ii\hndlrsvc.exe <Not Verified; Intel Corporation; Intel Alert Management System 2>
S2 Intel Alert Originator - c:\winnt\system32\ams_ii\iao.exe <Not Verified; Intel Corporation; Intel Alert Management System 2>
S2 Intel File Transfer - c:\winnt\system32\cba\xfr.exe <Not Verified; Intel Corporation; Intel Common Base Agent>
S2 Pervasive.SQL 2000 (relational) - "f:\pvsw\bin\w3sqlmgr.exe" (file missing)
S2 Pervasive.SQL 2000 (transactional) - "f:\pvsw\bin\ntbtrv.exe" (file missing)
S2 SOption - c:\program files\rds\soption.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>
S3 CitrixWMIService (Citrix WMI Service) - c:\program files\citrix\system32\citrix\wmi\ctxwmisvc.exe <Not Verified; Citrix Systems, Inc.; Citrix WMI Provider>
S3 NetBackup INET Daemon (NetBackup Client Service) - c:\veritas\netbackup\bin\bpinetd.exe (file missing)
S3 NetBackup Volume Manager - c:\veritas\volmgr\bin\bevmd.exe (file missing)
S3 ResourceManagerMail (Resource Manager Mail) - c:\program files\citrix\system32\citrix\ima\mailservice.exe <Not Verified; Citrix Systems, Inc.; Resource Manager for MetaFrame XP™>
S4 HTTP FLTER - c:\winnt\system32\wnise.exe (file missing)
S4 MSpool (MS System Spooler) - c:\winnt\system32\mscdt.exe (file missing)

-- Device Manager: Disabled

---

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 Network Connection
Device ID: PCI\VEN_8086&DEV_1229&SUBSYS_009B1028&REV_08\3&13C0B0C5&0&10
Manufacturer: Intel
Name: Intel(R) PRO/100 Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1229&SUBSYS_009B1028&REV_08\3&13C0B0C5&0&10
Service: E100B

-- Files created between 2008-05-05 and 2008-06-05

---

2008-06-05 17:28:04 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_6f0.dat
2008-06-05 17:08:53 0 d

---

C:\!KillBox
2008-06-05 10:37:40 0 d

---

C:\WINNT\BDOSCAN8
2008-06-05 10:31:42 2132000 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-06-05 10:29:48 13600 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-06-05 10:29:47 0 d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 09:51:28 0 d

---

C:\WINNT\system32\drivers\Avg
2008-06-05 09:51:28 0 d

---

C:\Documents and Settings\admin.KEY.000\Application Data\AVGTOOLBAR
2008-06-05 08:02:01 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4c8.dat
2008-06-05 01:48:47 611113 --a

---

C:\Documents and Settings\hope.KEY\hao.exe
2008-06-05 00:58:07 0 d

---

C:\Documents and Settings\hope.KEY\Application Data\Macromedia
2008-05-29 19:50:58 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_514.dat
2008-05-26 17:21:13 0 d

---

C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-23 08:29:27 0 d--h

---

C:\Documents and Settings\hope.KEY\Templates
2008-05-23 05:03:28 1689600 --a

---

C:\WINNT\system32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:28 1179648 --a

---

C:\WINNT\system32\d3d8.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 524800 --a

---

C:\WINNT\system32\qedit.dll
2008-05-23 05:03:26 258424 --a

---

C:\WINNT\system32\qasf.dll
2008-05-23 05:03:26 194560 --a

---

C:\WINNT\system32\mswebdvd.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-05-23 05:03:26 1769472 --a

---

C:\WINNT\system32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 203264 --a

---

C:\WINNT\system32\dpvoice.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 16896 --a

---

C:\WINNT\system32\dpnsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:26 377856 --a

---

C:\WINNT\system32\dpnet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:25 68096 --a

---

C:\WINNT\system32\dsdmoprp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:25 166400 --a

---

C:\WINNT\system32\dinput8.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:25 386048 --a

---

C:\WINNT\system32\diactfrm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:24 733184 --a

---

C:\WINNT\system32\qedwipes.dll
2008-05-23 05:03:24 13312 --a

---

C:\WINNT\system32\msdmo.dll
2008-05-23 05:03:24 18944 --a

---

C:\WINNT\system32\encapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:24 1189888 --a

---

C:\WINNT\system32\dx8vb.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 18432 --a

---

C:\WINNT\system32\dswave.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 186880 --a

---

C:\WINNT\system32\dsdmo.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 112128 --a

---

C:\WINNT\system32\dpvvox.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 80896 --a

---

C:\WINNT\system32\dpvsetup.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 19968 --a

---

C:\WINNT\system32\dpvacm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 3072 --a

---

C:\WINNT\system32\dpnlobby.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 68096 --a

---

C:\WINNT\system32\dpnhupnp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 32768 --a

---

C:\WINNT\system32\dpnhpast.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 3072 --a

---

C:\WINNT\system32\dpnaddr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:23 76800 --a

---

C:\WINNT\system32\dmscript.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:22 44032 --a

---

C:\WINNT\system32\dimap.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 05:03:22 7168 --a

---

C:\WINNT\system32\d3d8thk.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 01:15:58 0 d

---

C:\Microsoft
2008-05-23 01:11:59 0 d

---

C:\Documents and Settings\hope.KEY\Application Data\Microsoft
2008-05-23 01:11:49 0 d--h

---

C:\Documents and Settings\hope.KEY\Local Settings
2008-05-23 01:11:48 0 d---s---- C:\Documents and Settings\hope.KEY\Temporary Internet Files
2008-05-23 01:11:48 0 d---s---- C:\Documents and Settings\hope.KEY\History
2008-05-23 01:11:48 0 d--h

---

C:\Documents and Settings\hope.KEY\Cookies
2008-05-23 01:11:48 0 d--h

---

C:\Documents and Settings\hope.KEY\Application Data
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\Start Menu
2008-05-23 01:11:46 0 d--h

---

C:\Documents and Settings\hope.KEY\Recent
2008-05-23 01:11:46 0 d--h

---

C:\Documents and Settings\hope.KEY\NetHood
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\My Documents
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\Favorites
2008-05-23 01:11:46 0 d

---

C:\Documents and Settings\hope.KEY\Desktop
2008-05-23 01:11:43 0 d

---

C:\Documents and Settings\hope.KEY\WINDOWS
2008-05-23 01:11:36 53248 --ah

---

C:\Documents and Settings\hope.KEY\ntuser.dat
2008-05-22 23:33:27 0 d

---

C:\Program Files\MSXML 6.0
2008-05-22 16:24:38 0 d--h

---

C:\$AVG8.VAULT$
2008-05-22 16:18:15 0 d

---

C:\Program Files\AVG
2008-05-22 16:18:14 0 d-a

---

C:\Documents and Settings\All Users\Application Data\avg8
2008-05-22 14:52:03 0 d-a

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 09:25:35 0 d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP

-- Find3M Report

---

2008-06-05 08:28:23 419396 ---h

---

C:\WINNT\ShellIconCache
2008-05-29 13:24:36 0 d-a

---

C:\Program Files\Common Files
2008-05-27 08:02:36 537 --a

---

C:\Documents and Settin
2008-05-26 17:17:54 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 12:23:55 537 --a

---

C:\Documents and Sett
2008-05-23 04:10:44 0 d-a

---

C:\Program Files\Symantec
2008-05-23 04:10:25 0 d-a

---

C:\Program Files\LiveUpdate Administration
2008-05-22 23:16:45 0 d

---

C:\Program Files\Dell
2008-05-22 10:07:39 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4e8.dat
2008-03-27 17:08:58 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4f4.dat
2008-03-27 15:38:25 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4dc.dat
2008-03-13 14:43:00 16384 --a

---

t C:\WINNT\system32\Perflib_Perfdata_4d0.dat

-- Registry Dump

---

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/05/08 09:51a 2051328 --a

---

E:\PROGRA~1\AVG\AVGTOO~1.DLL
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= E:\PROGRA~1\AVG\AVGTOO~1.DLL [06/05/08 09:51a 2051328]
[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="Atiptaxx.exe" [09/05/00 10:57a C:\WINNT\system32\atiptaxx.exe]
"Tweak UI"="TWEAKUI.CPL" [06/18/00 01:03p C:\WINNT\system32\TWEAKUI.CPL]
"IcaBar"="icabar.exe" [05/06/03 08:19p C:\Program Files\Citrix\System32\icabar.exe]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [11/16/01 08:23p]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [11/04/00 08:09p]
"Win2KService"="C:\WINNT\system32\nero.exe" []
"AVG8_TRAY"="E:\PROGRA~1\AVG\avgtray.exe" [06/05/08 09:51a]
"AVP"="E:\Program Files\Kaspersky\avp.exe" [06/05/08 01:08p]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"sysppc"="C:\WINNT\system32\ras\java\svchost\svchost.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [8/28/2007 11:49:12 AM]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [4/8/2004 7:25:48 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"NoFileAssociate"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit,nddeagnt.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MetaFrame]
ctxnotif.dll 05/06/03 08:19p 94208 C:\Program Files\Citrix\System32\ctxnotif.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=RMProcessLink.dll,mfaphook.dll,avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT RASSFM KDCSVC scecli
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@=&quot;Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@=&quot;Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv
*Newly Created Service* - AVG8EMC
*Newly Created Service* - AVP
*Newly Created Service* - KLIF

-- End of Deckard's System Scanner: finished at 2008-06-05 17:31:50

---

Thomas

Progress, but some more to do, and still this setup is quite a head scratcher assessing things.

But now you have both AVG and Kaspersky, which will conflict with each other and cause issues of their own. Team effort here bobgilbert, so if you choose to do your own methods, you choose the outcomes. You installed Kaspersky, which says as part of it's install to uninstall any other AV software, yes? And did that with TeaTimer running (it apparently was not disabled as suggested earlier), and AVG? Killbox now showing recently used?

Disable all security software. Uninstall SpyBot, then uninstall AVG. You need to remove one of the AV's, and right now the correct scan done by Kaspersky would be beneficial. Once you have done that, although I really did not want a reboot involved, go ahead and reboot, and run a new BitDefender scan again.

Then run a new Deckards scan, using the same steps as just now, and post that along with the new BitDefender scan log please.