Symantec Endpoint said it removed Backdoor.tidserv.l!inf. After that this computer was still showing over 200 outbound connections while sitting idle on the Sonicwall active connections monitor. I have attached all the Preliminary Removal logs per the sticky. Computer has not been networked or used since the scan were run.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4954
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/26/2010 3:25:41 PM
mbam-log-2010-10-26 (15-25-41).txt
Scan type: Quick scan
Objects scanned: 244773
Time elapsed: 18 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 28
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\tvaughn\Application Data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\tvaughn\Application Data\SysWin\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sl700496165 (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GnuHashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-26 17:01:12
Windows 5.1.2600 Service Pack 3
Running: szubkk0t.exe; Driver: C:\DOCUME~1\ADMINI~1.PSI\LOCALS~1\Temp\fxloypod.sys
---- System - GMER 1.0.15 ----
SSDT 875D44A8 ZwAlertResumeThread
SSDT 8755C848 ZwAlertThread
SSDT 8708EAA0 ZwAllocateVirtualMemory
SSDT 875BE5D8 ZwConnectPort
SSDT 870E5AA0 ZwCreateMutant
SSDT 875B5A10 ZwCreateThread
SSDT 870B6BB0 ZwFreeVirtualMemory
SSDT 8765E5F0 ZwImpersonateAnonymousToken
SSDT 87622488 ZwImpersonateThread
SSDT 87565090 ZwMapViewOfSection
SSDT 87572478 ZwOpenEvent
SSDT 8759F330 ZwOpenProcessToken
SSDT 870E2B98 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF78346B0]
SSDT 87592B78 ZwResumeThread
SSDT 8759F4E0 ZwSetContextThread
SSDT 87094BD8 ZwSetInformationProcess
SSDT 870D0AE8 ZwSetInformationThread
SSDT 8754FAA0 ZwSuspendProcess
SSDT 875B2828 ZwSuspendThread
SSDT 8762C0B0 ZwTerminateProcess
SSDT 8759F518 ZwTerminateThread
SSDT 8759F368 ZwUnmapViewOfSection
SSDT 8708AAA0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 90 804E26EC 4 Bytes JMP 97778708
.text ntoskrnl.exe!_abnormal_termination + 214 804E2870 2 Bytes [78, 24] {JS 0x26}
.text ntoskrnl.exe!_abnormal_termination + 217 804E2873 1 Byte [87]
? suicp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3240] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10403687 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4040] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Scap.sys (Check Point Software Technologies)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Scap.sys (Check Point Software Technologies)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Scap.sys (Check Point Software Technologies)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Scap.sys (Check Point Software Technologies)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-10-21.02) - NTFSx86
Run by Administrator at 17:05:21.25 on Tue 10/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.644 [GMT -4:00]
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slClient.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\expsrv32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\OpenRsm\Agent\OrsmAgentService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\devmgr32.exe
C:\PROGRA~1\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\administrator.psi\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: {0c518f64-a339-4980-96f6-7ac886e4b19f} - c:\windows\system32\atioglxx32.dll
BHO: {0e7fecb0-6bd6-4b2d-9094-1907ccf67fca} - c:\windows\system32\atioglxx32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: e8022bb2: {5a96e11c-cd93-0d21-c1ab-8b0383b8ad01} - c:\windows\system32\jsproxy32.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [CARPService] "carpserv.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Desktop Authority GUI] "c:\program files\desktopauthority\ragui.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ControlCenter2.0] "c:\program files\oce\controlcenter2\brctrcen.exe" /autorun
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [XA5RJ9EADJ] c:\windows\temp\Twr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\dell\bluetooth software\BTTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1.psi\applic~1\mozilla\firefox\profiles\t1lpe0bo.default\
FF - plugin: c:\documents and settings\tvaughn\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tvaughn\application data\move networks\plugins\npqmp071505000011.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-9-18 91136]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-17 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-17 108392]
R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\desktopauthority\rainfo.sys [2006-12-19 6400]
R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\desktopauthority\ramaint.exe [2006-12-19 49152]
R2 DesktopAuthority;Desktop Authority Service;c:\program files\desktopauthority\DesktopAuthority.exe [2006-12-19 1089536]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2006-8-3 190528]
R2 OrsmAgentServiceCom;OrsmAgentServiceCom;c:\program files\openrsm\agent\OrsmAgentService.exe [2007-4-24 1041920]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2010-7-27 17456]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2005-12-19 527360]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-17 1775344]
R2 Symantec AntiVirus32;Symantec Endpoint Protection ;c:\windows\system32\expsrv32.exe [2010-10-20 1349120]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-7-27 670128]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [2006-12-19 2944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-18 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-7-27 2041904]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101026.002\NAVENG.SYS [2010-10-26 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101026.002\NAVEX15.SYS [2010-10-26 1371184]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2006-8-3 18944]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [2006-8-3 70144]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-9-18 23180]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-8-17 23888]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2006-8-3 15360]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2010-7-27 14924]
=============== Created Last 30 ================
2010-10-26 18:52:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 18:52:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 18:52:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 14:19:04 0 ---ha-w- c:\documents and settings\administrator.psi\ymmszlgrbn.tmp
2010-10-26 14:14:51 -------- d-----w- c:\program files\Magical Jelly Bean
2010-10-26 14:13:09 -------- d-----w- c:\docume~1\admini~1.psi\locals~1\applic~1\Mozilla
2010-10-20 19:16:44 174592 ----a-w- c:\windows\system32\jscript32.exe
2010-10-20 19:16:27 203776 --sh--w- c:\windows\system32\unrar.exe
2010-10-20 19:16:27 -------- d-----w- c:\windows\system32\709041280
2010-10-20 19:15:57 1349120 ----a-w- c:\windows\system32\devmgr32.exe
2010-10-20 19:15:55 250368 ----a-w- c:\windows\system32\jsproxy32.dll
2010-10-20 19:15:51 1349120 ----a-w- c:\windows\system32\expsrv32.exe
2010-10-20 19:15:48 370176 ----a-w- c:\windows\system32\atioglxx32.dll
==================== Find3M ====================
2010-08-18 16:49:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-17 20:22:18 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-17 20:22:16 89088 ----a-w- c:\windows\system32\atl71.dll
2010-08-17 20:22:16 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-08-17 20:22:16 49480 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-17 20:22:16 242056 ----a-w- c:\windows\system32\SymRedir.dll
============= FINISH: 17:05:41.65 ===============
DDS (Ver_10-10-21.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/27/2007 4:21:20 PM
System Uptime: 10/26/2010 3:27:16 PM (2 hours ago)
Motherboard: Dell Computer Corporation | | 0D2125
Processor: Intel(R) Pentium(R) M processor 1.80GHz | Microprocessor | 1798/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 30.415 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4324&SUBSYS_00031028&REV_03\4&39A85202&0&18F0
Manufacturer: Broadcom
Name: Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4324&SUBSYS_00031028&REV_03\4&39A85202&0&18F0
Service: BCM43XX
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VPN-1 SecureClient Adapter
Device ID: ROOT\NET\0001
Manufacturer: Check Point
Name: VPN-1 SecureClient Adapter
PNP Device ID: ROOT\NET\0001
Service: OMVA
==== System Restore Points ===================
RP1: 7/26/2010 7:34:50 AM - System Checkpoint
RP2: 7/27/2010 2:27:25 PM - System Checkpoint
RP3: 7/28/2010 3:16:30 PM - System Checkpoint
RP4: 8/2/2010 1:03:40 PM - System Checkpoint
RP5: 8/3/2010 10:02:24 AM - Removed Symantec AntiVirus
RP6: 8/3/2010 10:28:28 AM - Revo Uninstaller's restore point - FaxPress
RP7: 8/3/2010 10:29:27 AM - Removed FaxPress
RP8: 8/4/2010 1:05:31 PM - System Checkpoint
RP9: 8/6/2010 10:05:25 AM - System Checkpoint
RP10: 8/9/2010 8:45:19 AM - System Checkpoint
RP11: 8/10/2010 11:07:01 AM - System Checkpoint
RP12: 8/11/2010 1:26:09 PM - System Checkpoint
RP13: 8/12/2010 2:35:58 PM - System Checkpoint
RP14: 8/16/2010 12:20:07 PM - System Checkpoint
RP15: 8/17/2010 12:55:25 PM - System Checkpoint
RP16: 8/18/2010 12:47:07 PM - Installed Symantec Endpoint Protection Client.
RP17: 8/19/2010 3:33:01 PM - System Checkpoint
RP18: 8/23/2010 8:32:24 AM - System Checkpoint
RP19: 8/26/2010 11:58:16 AM - System Checkpoint
RP20: 8/30/2010 12:19:07 PM - System Checkpoint
RP21: 8/31/2010 12:32:43 PM - System Checkpoint
RP22: 9/1/2010 12:43:54 PM - System Checkpoint
RP23: 9/2/2010 1:35:40 PM - System Checkpoint
RP24: 9/8/2010 10:14:46 AM - System Checkpoint
RP25: 9/9/2010 1:00:19 PM - System Checkpoint
RP26: 9/10/2010 1:39:43 PM - System Checkpoint
RP27: 9/13/2010 1:05:57 PM - System Checkpoint
RP28: 9/14/2010 1:38:42 PM - System Checkpoint
RP29: 9/16/2010 12:36:11 PM - System Checkpoint
RP30: 9/17/2010 1:06:07 PM - System Checkpoint
RP31: 9/20/2010 1:05:44 PM - System Checkpoint
RP32: 9/21/2010 1:55:54 PM - System Checkpoint
RP33: 9/22/2010 3:33:03 PM - System Checkpoint
RP34: 9/24/2010 9:41:39 AM - System Checkpoint
RP35: 10/4/2010 1:38:56 PM - System Checkpoint
RP36: 10/6/2010 8:32:29 AM - System Checkpoint
RP37: 10/7/2010 12:09:42 PM - System Checkpoint
RP38: 10/8/2010 2:53:27 PM - System Checkpoint
RP39: 10/11/2010 11:33:28 AM - System Checkpoint
RP40: 10/12/2010 12:32:52 PM - System Checkpoint
RP41: 10/13/2010 1:50:03 PM - System Checkpoint
RP42: 10/14/2010 2:46:13 PM - System Checkpoint
RP43: 10/15/2010 3:10:40 PM - System Checkpoint
RP44: 10/20/2010 4:11:53 PM - System Checkpoint
RP45: 10/22/2010 10:11:33 AM - System Checkpoint
RP46: 10/25/2010 12:26:40 PM - System Checkpoint
RP47: 10/26/2010 4:11:37 PM - System Checkpoint
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Aventail Connect
B57Inst
Bonjour
Broadcom Driver Installer
CCleaner (remove only)
Check Point VPN-1 SecureClient NG_AI_R56
Citrix Program Neighborhood ( Citrix ICA Client )
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.9x Modem
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Bluetooth Software
Dell ResourceCD
Dell Wireless WLAN Utility
Easy CD Creator 5 Basic
eDrawings 2007
G.Neil Attendance Controller 7.0
G.Neil Confidential Employee Record 7.0
G.Neil Friendly Forms Builder 2.5
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB917821)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
IBM iSeries Access for Windows
Instant Interview
InterBase 6 Open Edition - 6.0.1.6
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 14
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LimeWire 5.5.16
LiveUpdate 3.3 (Symantec Corporation)
Made2Manage
Made2Manage 5.50 SP1
Made2Manage 5.50 SP1 550.435.435 SP1
Made2Manage 550.413.413 GA
Made2Manage Bar Code Collection
Made2Manage Bar Code Collection 550.413.413 GA
Made2Manage Bar Code Posting
Made2Manage Bar Code Posting 550.413.413 GA
Magical Jelly Bean KeyFinder
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows Journal Viewer
MiniSoft
MostFun.com Games - Winemaker Extraordinaire (remove only)
Mozilla Firefox (3.6.11)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multi-Function Suite
Nancy Drew: Ransom of the Seven Ships
OpenRSM-Agent
PaperPort
PowerDVD
QuickTime
Revo Uninstaller 1.89
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SigmaTel AC97 Audio Drivers
SonicWALL Global VPN Client
Spelling Dictionaries Support For Adobe Reader 9
Symantec Endpoint Protection Client
Update for Windows Media Player 10 (KB912452)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Hotfix - KB895181
Windows Media Player 10 Hotfix - KB888656
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
Winemaker Extraordinaire
WinZip
XP TCP/IP Repair
==== End Of File ===========================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4954
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/26/2010 3:25:41 PM
mbam-log-2010-10-26 (15-25-41).txt
Scan type: Quick scan
Objects scanned: 244773
Time elapsed: 18 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 28
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\tvaughn\Application Data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\tvaughn\Application Data\SysWin\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sl700496165 (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GnuHashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-26 17:01:12
Windows 5.1.2600 Service Pack 3
Running: szubkk0t.exe; Driver: C:\DOCUME~1\ADMINI~1.PSI\LOCALS~1\Temp\fxloypod.sys
---- System - GMER 1.0.15 ----
SSDT 875D44A8 ZwAlertResumeThread
SSDT 8755C848 ZwAlertThread
SSDT 8708EAA0 ZwAllocateVirtualMemory
SSDT 875BE5D8 ZwConnectPort
SSDT 870E5AA0 ZwCreateMutant
SSDT 875B5A10 ZwCreateThread
SSDT 870B6BB0 ZwFreeVirtualMemory
SSDT 8765E5F0 ZwImpersonateAnonymousToken
SSDT 87622488 ZwImpersonateThread
SSDT 87565090 ZwMapViewOfSection
SSDT 87572478 ZwOpenEvent
SSDT 8759F330 ZwOpenProcessToken
SSDT 870E2B98 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF78346B0]
SSDT 87592B78 ZwResumeThread
SSDT 8759F4E0 ZwSetContextThread
SSDT 87094BD8 ZwSetInformationProcess
SSDT 870D0AE8 ZwSetInformationThread
SSDT 8754FAA0 ZwSuspendProcess
SSDT 875B2828 ZwSuspendThread
SSDT 8762C0B0 ZwTerminateProcess
SSDT 8759F518 ZwTerminateThread
SSDT 8759F368 ZwUnmapViewOfSection
SSDT 8708AAA0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 90 804E26EC 4 Bytes JMP 97778708
.text ntoskrnl.exe!_abnormal_termination + 214 804E2870 2 Bytes [78, 24] {JS 0x26}
.text ntoskrnl.exe!_abnormal_termination + 217 804E2873 1 Byte [87]
? suicp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3240] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10403687 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4040] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Scap.sys (Check Point Software Technologies)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Scap.sys (Check Point Software Technologies)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Scap.sys (Check Point Software Technologies)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Scap.sys (Check Point Software Technologies)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-10-21.02) - NTFSx86
Run by Administrator at 17:05:21.25 on Tue 10/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.644 [GMT -4:00]
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slClient.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\expsrv32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\OpenRsm\Agent\OrsmAgentService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\devmgr32.exe
C:\PROGRA~1\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\administrator.psi\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: {0c518f64-a339-4980-96f6-7ac886e4b19f} - c:\windows\system32\atioglxx32.dll
BHO: {0e7fecb0-6bd6-4b2d-9094-1907ccf67fca} - c:\windows\system32\atioglxx32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: e8022bb2: {5a96e11c-cd93-0d21-c1ab-8b0383b8ad01} - c:\windows\system32\jsproxy32.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [CARPService] "carpserv.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Desktop Authority GUI] "c:\program files\desktopauthority\ragui.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ControlCenter2.0] "c:\program files\oce\controlcenter2\brctrcen.exe" /autorun
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [XA5RJ9EADJ] c:\windows\temp\Twr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\dell\bluetooth software\BTTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1.psi\applic~1\mozilla\firefox\profiles\t1lpe0bo.default\
FF - plugin: c:\documents and settings\tvaughn\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tvaughn\application data\move networks\plugins\npqmp071505000011.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-9-18 91136]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-17 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-17 108392]
R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\desktopauthority\rainfo.sys [2006-12-19 6400]
R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\desktopauthority\ramaint.exe [2006-12-19 49152]
R2 DesktopAuthority;Desktop Authority Service;c:\program files\desktopauthority\DesktopAuthority.exe [2006-12-19 1089536]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2006-8-3 190528]
R2 OrsmAgentServiceCom;OrsmAgentServiceCom;c:\program files\openrsm\agent\OrsmAgentService.exe [2007-4-24 1041920]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2010-7-27 17456]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2005-12-19 527360]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-17 1775344]
R2 Symantec AntiVirus32;Symantec Endpoint Protection ;c:\windows\system32\expsrv32.exe [2010-10-20 1349120]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-7-27 670128]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [2006-12-19 2944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-18 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-7-27 2041904]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101026.002\NAVENG.SYS [2010-10-26 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101026.002\NAVEX15.SYS [2010-10-26 1371184]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2006-8-3 18944]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [2006-8-3 70144]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-9-18 23180]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-8-17 23888]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2006-8-3 15360]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2010-7-27 14924]
=============== Created Last 30 ================
2010-10-26 18:52:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 18:52:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 18:52:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 14:19:04 0 ---ha-w- c:\documents and settings\administrator.psi\ymmszlgrbn.tmp
2010-10-26 14:14:51 -------- d-----w- c:\program files\Magical Jelly Bean
2010-10-26 14:13:09 -------- d-----w- c:\docume~1\admini~1.psi\locals~1\applic~1\Mozilla
2010-10-20 19:16:44 174592 ----a-w- c:\windows\system32\jscript32.exe
2010-10-20 19:16:27 203776 --sh--w- c:\windows\system32\unrar.exe
2010-10-20 19:16:27 -------- d-----w- c:\windows\system32\709041280
2010-10-20 19:15:57 1349120 ----a-w- c:\windows\system32\devmgr32.exe
2010-10-20 19:15:55 250368 ----a-w- c:\windows\system32\jsproxy32.dll
2010-10-20 19:15:51 1349120 ----a-w- c:\windows\system32\expsrv32.exe
2010-10-20 19:15:48 370176 ----a-w- c:\windows\system32\atioglxx32.dll
==================== Find3M ====================
2010-08-18 16:49:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-17 20:22:18 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-17 20:22:16 89088 ----a-w- c:\windows\system32\atl71.dll
2010-08-17 20:22:16 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-08-17 20:22:16 49480 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-17 20:22:16 242056 ----a-w- c:\windows\system32\SymRedir.dll
============= FINISH: 17:05:41.65 ===============
DDS (Ver_10-10-21.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/27/2007 4:21:20 PM
System Uptime: 10/26/2010 3:27:16 PM (2 hours ago)
Motherboard: Dell Computer Corporation | | 0D2125
Processor: Intel(R) Pentium(R) M processor 1.80GHz | Microprocessor | 1798/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 30.415 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4324&SUBSYS_00031028&REV_03\4&39A85202&0&18F0
Manufacturer: Broadcom
Name: Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4324&SUBSYS_00031028&REV_03\4&39A85202&0&18F0
Service: BCM43XX
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VPN-1 SecureClient Adapter
Device ID: ROOT\NET\0001
Manufacturer: Check Point
Name: VPN-1 SecureClient Adapter
PNP Device ID: ROOT\NET\0001
Service: OMVA
==== System Restore Points ===================
RP1: 7/26/2010 7:34:50 AM - System Checkpoint
RP2: 7/27/2010 2:27:25 PM - System Checkpoint
RP3: 7/28/2010 3:16:30 PM - System Checkpoint
RP4: 8/2/2010 1:03:40 PM - System Checkpoint
RP5: 8/3/2010 10:02:24 AM - Removed Symantec AntiVirus
RP6: 8/3/2010 10:28:28 AM - Revo Uninstaller's restore point - FaxPress
RP7: 8/3/2010 10:29:27 AM - Removed FaxPress
RP8: 8/4/2010 1:05:31 PM - System Checkpoint
RP9: 8/6/2010 10:05:25 AM - System Checkpoint
RP10: 8/9/2010 8:45:19 AM - System Checkpoint
RP11: 8/10/2010 11:07:01 AM - System Checkpoint
RP12: 8/11/2010 1:26:09 PM - System Checkpoint
RP13: 8/12/2010 2:35:58 PM - System Checkpoint
RP14: 8/16/2010 12:20:07 PM - System Checkpoint
RP15: 8/17/2010 12:55:25 PM - System Checkpoint
RP16: 8/18/2010 12:47:07 PM - Installed Symantec Endpoint Protection Client.
RP17: 8/19/2010 3:33:01 PM - System Checkpoint
RP18: 8/23/2010 8:32:24 AM - System Checkpoint
RP19: 8/26/2010 11:58:16 AM - System Checkpoint
RP20: 8/30/2010 12:19:07 PM - System Checkpoint
RP21: 8/31/2010 12:32:43 PM - System Checkpoint
RP22: 9/1/2010 12:43:54 PM - System Checkpoint
RP23: 9/2/2010 1:35:40 PM - System Checkpoint
RP24: 9/8/2010 10:14:46 AM - System Checkpoint
RP25: 9/9/2010 1:00:19 PM - System Checkpoint
RP26: 9/10/2010 1:39:43 PM - System Checkpoint
RP27: 9/13/2010 1:05:57 PM - System Checkpoint
RP28: 9/14/2010 1:38:42 PM - System Checkpoint
RP29: 9/16/2010 12:36:11 PM - System Checkpoint
RP30: 9/17/2010 1:06:07 PM - System Checkpoint
RP31: 9/20/2010 1:05:44 PM - System Checkpoint
RP32: 9/21/2010 1:55:54 PM - System Checkpoint
RP33: 9/22/2010 3:33:03 PM - System Checkpoint
RP34: 9/24/2010 9:41:39 AM - System Checkpoint
RP35: 10/4/2010 1:38:56 PM - System Checkpoint
RP36: 10/6/2010 8:32:29 AM - System Checkpoint
RP37: 10/7/2010 12:09:42 PM - System Checkpoint
RP38: 10/8/2010 2:53:27 PM - System Checkpoint
RP39: 10/11/2010 11:33:28 AM - System Checkpoint
RP40: 10/12/2010 12:32:52 PM - System Checkpoint
RP41: 10/13/2010 1:50:03 PM - System Checkpoint
RP42: 10/14/2010 2:46:13 PM - System Checkpoint
RP43: 10/15/2010 3:10:40 PM - System Checkpoint
RP44: 10/20/2010 4:11:53 PM - System Checkpoint
RP45: 10/22/2010 10:11:33 AM - System Checkpoint
RP46: 10/25/2010 12:26:40 PM - System Checkpoint
RP47: 10/26/2010 4:11:37 PM - System Checkpoint
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Aventail Connect
B57Inst
Bonjour
Broadcom Driver Installer
CCleaner (remove only)
Check Point VPN-1 SecureClient NG_AI_R56
Citrix Program Neighborhood ( Citrix ICA Client )
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.9x Modem
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Bluetooth Software
Dell ResourceCD
Dell Wireless WLAN Utility
Easy CD Creator 5 Basic
eDrawings 2007
G.Neil Attendance Controller 7.0
G.Neil Confidential Employee Record 7.0
G.Neil Friendly Forms Builder 2.5
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB917821)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
IBM iSeries Access for Windows
Instant Interview
InterBase 6 Open Edition - 6.0.1.6
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 14
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LimeWire 5.5.16
LiveUpdate 3.3 (Symantec Corporation)
Made2Manage
Made2Manage 5.50 SP1
Made2Manage 5.50 SP1 550.435.435 SP1
Made2Manage 550.413.413 GA
Made2Manage Bar Code Collection
Made2Manage Bar Code Collection 550.413.413 GA
Made2Manage Bar Code Posting
Made2Manage Bar Code Posting 550.413.413 GA
Magical Jelly Bean KeyFinder
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows Journal Viewer
MiniSoft
MostFun.com Games - Winemaker Extraordinaire (remove only)
Mozilla Firefox (3.6.11)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multi-Function Suite
Nancy Drew: Ransom of the Seven Ships
OpenRSM-Agent
PaperPort
PowerDVD
QuickTime
Revo Uninstaller 1.89
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SigmaTel AC97 Audio Drivers
SonicWALL Global VPN Client
Spelling Dictionaries Support For Adobe Reader 9
Symantec Endpoint Protection Client
Update for Windows Media Player 10 (KB912452)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Hotfix - KB895181
Windows Media Player 10 Hotfix - KB888656
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
Winemaker Extraordinaire
WinZip
XP TCP/IP Repair
==== End Of File ===========================