Deckard's System Scanner v20071014.68 Run by Administrator on 2008-07-20 16:56:05 Computer is in Normal Mode. -------------------------------------------------------------------------------- Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Administrator.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:57:58 PM, on 7/20/2008 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe C:\Program Files\SAV\DefWatch.exe C:\WINDOWS\system32\Dfssvc.exe C:\WINDOWS\System32\dns.exe C:\PROGRAM FILES\EASYSOFT\EASYSOFT JDBC-ODBC BRIDGE\SERVER\esjobserver.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Firebird\bin\fbguard.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\CBA\pds.exe C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\MYSQL\bin\mysqld-max.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\WINDOWS\system32\ntfrs.exe C:\WINDOWS\system32\nvsvc32.exe C:\PVSW\BIN\W3SQLMGR.EXE C:\PVSW\BIN\NTBTRV.EXE C:\PVSW\BIN\NTDBSMGR.EXE C:\WINDOWS\system32\logon.exe d:\program files\timberline office\shared\sage.servicehost.host.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel LM Server\WinNT\lservnt.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE C:\Program Files\SDIII\NTService.exe C:\WINDOWS\system32\SD3Service.exe D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTServiceMonitor.exe C:\Program Files\SAV\Rtvscan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\System32\wins.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\cba\xfr.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Firebird\bin\fbserver.exe D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTDistributedAccessServer.exe C:\WINDOWS\System32\svchost.exe D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTLicenseChecker.exe D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTMaintenanceScheduler.exe D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTDAS.exe D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTRemotePDAServer.exe D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTReportService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SAV\VPTray.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mightyfax\MFNTCTL.EXE C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\ClientApps\CAC7\wlaunch.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE c:\windows\system32\inetsrv\w3wp.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\vssvc.exe C:\Documents and Settings\Administrator\Desktop\dss.exe C:\WINDOWS\system32\taskmgr.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [http://search.msn.com/spbasic.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Startup: Server Management.lnk = ? O4 - Startup: WLaunch.lnk = CAC7\wlaunch.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\Mightyfax\MFNTCTL.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Supero Doctor III Client.lnk = C:\Program Files\SDIII\SuperoDoctor.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O14 - IERESET.INF: START_PAGE_URL=http://companyweb O15 - ESC Trusted Zone: http://mail.atl.cbeyond.com O15 - ESC Trusted Zone: http://download.nvidia.com O15 - ESC Trusted Zone: http://www.nvidia.com O15 - ESC Trusted Zone: http://www.supermicro.com O15 - ESC Trusted Zone: http://*.thedowneygroup.com O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4143CA74-3EC9-43A7-A418-9F0D7BAA8758} (SSnet_Client.pagLogin) - http://12.159.65.250/SSnet/SSnet_Client.CAB O16 - DPF: {4BEF854E-6531-40D8-825E-5228A12861F3} (pwrUpl2 Class) - https://sagesoftware.thruinc.net/Components/PowerUpload.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161717067875 O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://mail.crownga.com/Remote/msrdp.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {B0893304-3FC5-11D6-A5F0-00D0B7104633} (WebCCTV3 Network Client Class) - http://10.0.0.220/WebCCTV/ActiveX/OPClient.cab O16 - DPF: {F3C7C5EE-8BBA-4B6E-8147-3B315A41B85B} - http://www.linktivity.com/msjavx86.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = downey.local O17 - HKLM\Software\..\Telephony: DomainName = downey.local O17 - HKLM\System\CCS\Services\Tcpip\..\{CB504783-7601-4470-9F10-17EAF9E0F43D}: NameServer = 10.0.0.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = downey.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = downey.local O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = downey.local O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe O23 - Service: Easysoft JDBC-ODBC Bridge Server (EasysoftJDBCODBCBridge) - Unknown owner - C:\PROGRAM FILES\EASYSOFT\EASYSOFT JDBC-ODBC BRIDGE\SERVER\esjobserver.exe O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\PROGRA~1\Firebird\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\PROGRA~1\Firebird\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel Alert Handler - LANDesk Software Ltd. - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - LANDesk Software Ltd. - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - LANDesk Software Ltd. - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe O23 - Service: MySql - Unknown owner - C:\MYSQL\bin\mysqld-max.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe O23 - Service: Sage Service Host (Sage.ServiceHost.Host) - Sage Software, Inc. - d:\program files\timberline office\shared\sage.servicehost.host.exe O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - d:\program files\timberline office\shared\sage.servicehost.host.exe O23 - Service: Sentinel LM - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel LM Server\WinNT\lservnt.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SuperMicro Health Assistant - Unknown owner - C:\Program Files\SDIII\NTService.exe O23 - Service: Supero SD3Service Daemon - Unknown owner - C:\WINDOWS\system32\SD3Service.exe O23 - Service: BuilderMT Distributed Access Server (svcBMTDistributedAccessServer) - Unknown owner - D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTDistributedAccessServer.exe O23 - Service: BuilderMT License Validation (svcBMTLicenseChecker) - Unknown owner - D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTLicenseChecker.exe O23 - Service: BuilderMT Maintenance Scheduler (svcBMTMaintenanceScheduler) - Unknown owner - D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTMaintenanceScheduler.exe O23 - Service: BuilderMT.NET Distributed Access Server (svcBMTNETDAS) - BuilderMT LLC - D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTDAS.exe O23 - Service: BuilderMT Remote PDA Server (svcBMTRemotePDAServer) - Unknown owner - D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTRemotePDAServer.exe O23 - Service: BuilderMT Reporting (svcBMTReporting) - Unknown owner - D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTReportService.exe O23 - Service: BuilderMT Service Monitor (svcBMTServiceMonitor) - Unknown owner - D:\PROGRAM FILES\TIMBERLINE OFFICE\BuilderMT\BuilderMT\PMWinstall\Services\BMTServiceMonitor.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe O23 - Service: Xitami Web Server (Xitami) - Unknown owner - C:\Program Files\SDIII\Xitami\xiwinnt.exe -- End of file - 14808 bytes -- File Associations ----------------------------------------------------------- [COLOR=red].cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*[/COLOR] -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys R1 4mmdat--VRTS - c:\windows\system32\drivers\04mmdat.sys R1 AW_HOST - c:\windows\system32\drivers\aw_host5.sys R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys R1 halfinchVRTS - c:\windows\system32\drivers\halfinch.sys R1 ISAIONT - c:\windows\system32\drivers\isaiont.sys R1 MemMapNt - c:\windows\system32\drivers\memmapnt.sys R1 SMBus - c:\windows\system32\drivers\smbus.sys R2 EXIFS - c:\windows\system32\drivers\exifs.sys S1 superbmc - c:\windows\system32\drivers\superbmc.sys S3 3c1807pd (U.S. Robotics V.92 Fax Win Int) - c:\windows\system32\drivers\3c1807pd.sys S3 GMSIPCI - e:\install\gmsipci.sys (file missing) S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 APCPBEAgent (APC PBE Agent) - c:\progra~1\apc\powerc~1\agent\pbeagent.exe R2 APCPBEServer (APC PBE Server) - c:\progra~1\apc\powerc~1\server\pbeser~1.exe R2 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe R2 EasysoftJDBCODBCBridge (Easysoft JDBC-ODBC Bridge Server) - c:\program files\easysoft\easysoft jdbc-odbc bridge\server\esjobserver.exe standalone R2 FirebirdGuardianDefaultInstance (Firebird Guardian - DefaultInstance) - c:\progra~1\firebird\bin\fbguard.exe -s R2 MSExchangeMGMT (Microsoft Exchange Management) - "c:\program files\exchsrvr\bin\exmgmt.exe" R2 MSSEARCH (Microsoft Search) - "c:\program files\common files\system\mssearch\bin\mssearch.exe" R2 MySql - c:\mysql\bin\mysqld-max.exe R2 Pervasive.SQL (relational) - "c:\pvsw\bin\w3sqlmgr.exe" R2 Pervasive.SQL (transactional) - "c:\pvsw\bin\ntbtrv.exe" R2 prilogon (Primary Logon) - c:\windows\system32\logon.exe R2 Sage.ServiceHost.Host (Sage Service Host) - d:\program files\timberline office\shared\sage.servicehost.host.exe R2 Sentinel LM - "c:\program files\common files\safenet sentinel\sentinel lm server\winnt\lservnt.exe" R2 SuperMicro Health Assistant - c:\program files\sdiii\ntservice.exe R2 Supero SD3Service Daemon - c:\windows\system32\sd3service.exe R2 svcBMTServiceMonitor (BuilderMT Service Monitor) - d:\program files\timberline office\buildermt\buildermt\pmwinstall\services\bmtservicemonitor.exe R2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe R3 FirebirdServerDefaultInstance (Firebird Server - DefaultInstance) - c:\progra~1\firebird\bin\fbserver.exe -s R3 svcBMTDistributedAccessServer (BuilderMT Distributed Access Server) - d:\program files\timberline office\buildermt\buildermt\pmwinstall\services\bmtdistributedaccessserver.exe R3 svcBMTLicenseChecker (BuilderMT License Validation) - d:\program files\timberline office\buildermt\buildermt\pmwinstall\services\bmtlicensechecker.exe R3 svcBMTMaintenanceScheduler (BuilderMT Maintenance Scheduler) - d:\program files\timberline office\buildermt\buildermt\pmwinstall\services\bmtmaintenancescheduler.exe R3 svcBMTNETDAS (BuilderMT.NET Distributed Access Server) - "d:\program files\timberline office\buildermt\buildermt\pmwinstall\services\bmtdas.exe" R3 svcBMTRemotePDAServer (BuilderMT Remote PDA Server) - d:\program files\timberline office\buildermt\buildermt\pmwinstall\services\bmtremotepdaserver.exe R3 svcBMTReporting (BuilderMT Reporting) - d:\program files\timberline office\buildermt\buildermt\pmwinstall\services\bmtreportservice.exe S2 MSExchangeIS (Microsoft Exchange Information Store) - "c:\program files\exchsrvr\bin\store.exe" S2 MSExchangeSA (Microsoft Exchange System Attendant) - "c:\program files\exchsrvr\bin\mad.exe" S2 Sage.ServiceHost.Host.1.0 (Sage Service Host v1.0) - d:\program files\timberline office\shared\sage.servicehost.host.exe S3 MSExchangeES (Microsoft Exchange Event) - "c:\program files\exchsrvr\bin\events.exe" S3 Xitami (Xitami Web Server) - c:\program files\sdiii\xitami\xiwinnt.exe S4 MSExchangeMTA (Microsoft Exchange MTA Stacks) - "c:\program files\exchsrvr\bin\emsmta.exe" S4 MSExchangeSRS (Microsoft Exchange Site Replication Service) - "c:\program files\exchsrvr\bin\srsmain.exe" S4 winvnc (TridiaVNC Server) - "c:\windows\system32\winvnc.exe" -service -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-07-20 16:00:00 844 --a------ C:\WINDOWS\Tasks\Stop License Logging.job 2008-07-19 23:30:00 274 --a------ C:\WINDOWS\Tasks\BatchFile.job 2008-07-18 12:00:00 764 --a------ C:\WINDOWS\Tasks\ShadowCopyVolume{3583f6b9-0593-11d9-8124-806e6f6e6963}.job 2008-06-22 09:28:03 334 -----n--- C:\WINDOWS\Tasks\VERITAS Software Update (VxUpdate).job -- Files created between 2008-06-20 and 2008-07-20 ----------------------------- 2008-07-20 14:19:15 0 d-------- C:\Program Files\Trend Micro 2008-07-19 18:24:54 262144 --a------ C:\WINDOWS\system32\default_user_class.dat 2008-07-19 18:12:25 0 d-------- C:\Program Files\UPHClean 2008-07-19 17:15:52 0 d-------- C:\Program Files\Windows Live Safety Center 2008-07-19 15:25:03 0 d-------- C:\Program Files\Support Tools 2008-07-19 13:32:53 0 d-------- C:\Program Files\Microsoft Easy Assist 2008-07-18 17:42:14 0 d-------- C:\Program Files\Yahoo! 2008-07-18 17:42:04 0 d-------- C:\Program Files\CCleaner 2008-07-18 17:35:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2008-07-18 16:32:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter 2008-07-18 15:11:09 0 d-------- C:\Program Files\TrojanHunter 5.0 2008-07-17 18:03:29 0 d-------- C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$ 2008-07-17 17:44:47 0 d--h---c- C:\WINDOWS\$ExchUninstallKB950159$ 2008-07-17 16:30:39 31232 --a------ C:\WINDOWS\system32\drivers\sc.exe 2008-07-17 16:30:39 31232 --a------ C:\WINDOWS\svc.exe 2008-07-17 16:30:18 381 --a------ C:\WINDOWS\system32\drivers\usbcamd3.sys 2008-07-17 16:30:18 2616 --a------ C:\WINDOWS\system32\drivers\usb8024.sys 2008-07-17 16:30:17 1051 --a------ C:\WINDOWS\system32\drivers\rasptip.sys 2008-07-17 16:30:17 1120 --a------ C:\WINDOWS\system32\drivers\pcmcib.sys 2008-07-17 16:30:10 16896 --a------ C:\WINDOWS\system32\autofkt.exe 2008-07-17 16:27:40 17566 --a------ C:\WINDOWS\system32\rt.exe 2008-07-17 16:27:40 92928 --ahs---- C:\WINDOWS\system32\raddrv.dll 2008-07-17 16:27:40 61440 --a------ C:\WINDOWS\system32\pv.exe 2008-07-17 16:27:40 94208 --ahs---- C:\WINDOWS\system32\logon.exe 2008-07-17 16:27:40 114688 --ahs---- C:\WINDOWS\system32\AdmDll.dll 2008-07-17 16:27:40 0 d-------- C:\WINDOWS\setup86x 2008-07-17 16:27:40 16896 --a------ C:\WINDOWS\autofkt.exe -- Find3M Report --------------------------------------------------------------- 2008-07-20 16:43:38 205 --a------ C:\WINDOWS\system32\lsprst7.dll 2008-07-20 15:15:57 0 d-------- C:\Program Files\SAV 2008-07-20 15:13:17 96 --a------ C:\WINDOWS\system32\prsrvk.dll 2008-07-20 15:12:28 485 --a------ C:\WINDOWS\system32\nsprs.dll 2008-07-18 18:00:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-05-30 08:26:39 1226 -----n--- C:\WINDOWS\system32\lservsta -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/15/2004 11:42 AM] "nwiz"="nwiz.exe" [07/15/2004 11:42 AM C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [07/15/2004 11:42 AM] "VxTaskbarMgr"="C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe" [10/07/2003 01:26 AM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/04/2005 01:42 PM] "vptray"="C:\PROGRA~1\SAV\VPTray.exe" [11/15/2005 02:28 PM] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM] "SoundMan"="SOUNDMAN.EXE" [10/08/2003 09:41 PM C:\WINDOWS\SOUNDMAN.EXE] "DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.exe" [03/22/2007 08:29 PM] "3c1807pd"="C:\WINDOWS\SYSTEM32\3cmlink.exe" [05/17/2002 03:42 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/24/2005 05:58 PM] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "tscuninstall"=%systemroot%\system32\tscupgrd.exe C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Server Management.lnk - C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe [4/29/2005 5:53:14 PM] WLaunch.lnk - C:\ClientApps\CAC7\wlaunch.exe [7/14/2006 10:21:53 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM] MightyFAX Controller.lnk - C:\Program Files\Mightyfax\MFNTCTL.EXE [3/29/2007 1:42:37 PM] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 10:07:32 PM] Supero Doctor III Client.lnk - C:\Program Files\SDIII\SuperoDoctor.exe [9/14/2004 9:20:01 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"=0 (0x0) "DisableTaskMgr"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=0 (0x0) "NoDispAppearancePage"=0 (0x0) "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispBackgroundPage"=0 (0x0) "NoDispScrSavPage"=0 (0x0) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ShowSuperHidden"=1 (0x1) "NoWelcomeScreen"=1 (0x1) "NoActiveDesktopChanges"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=0 (0x0) "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) "ForceActiveDesktopOn"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] dimsntfy.dll 03/24/2005 06:00 PM 19456 C:\WINDOWS\system32\dimsntfy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] PCANotify.dll 02/15/2002 10:51 AM 24638 C:\WINDOWS\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"= RASSFM KDCSVC WDIGEST scecli dsrestor [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCore] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalService Alerter WebClient LmHosts WinHttpAutoProxySvc W32Time NetworkService 6to4 DHCP DnsCache WinErr ERsvc tapisrv Tapisrv regsvc RemoteRegistry iissvcs w3svc swprv swprv DcomLaunch DcomLaunch [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser -- End of Deckard's System Scanner: finished at 2008-07-21 00:53:23 ------------