Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - GLP

Pages: [1]
1
Tech Clinic / Vundo infection
« on: July 02, 2007, 11:02:03 AM »
[quote name=\'guestolo\' post=\'348904\' date=\'Jul 2 2007, 03:04 PM\']Some final recommendations:
I hope that helps  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />[/quote]


Thank you very much indeed. Machine running smoothly and quickly now.

If you ever need a reference please let me know.

Brilliant.

Cheers friend.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

2
Tech Clinic / Vundo infection
« on: July 02, 2007, 02:59:03 AM »
[quote name=\'guestolo\' post=\'348741\' date=\'Jul 2 2007, 02:49 AM\']Can you post that log please along with one last hijackthis log

Keep me informed how things are running please[/quote]

DllUnregisterServer procedure not found in C:\WINDOWS\system32\jodjwjfe.dll
C:\WINDOWS\system32\jodjwjfe.dll NOT unregistered.
C:\WINDOWS\system32\jodjwjfe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\webxwvxh.dll
C:\WINDOWS\system32\webxwvxh.dll NOT unregistered.
C:\WINDOWS\system32\webxwvxh.dll moved successfully.
C:\WINDOWS\system32\teekxecc.exe moved successfully.
 
Created on 07-02-2007 08:56:40

& one last HJT log

Logfile of HijackThis v1.99.1
Scan saved at 08:57, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\llo36863\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mimi.mottmac.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ukcolopxLB.mottmac.group.int:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mottmac.com;*.mottmac.group.int;*.group.int;194.60.85.*;10.*;138.104.*;192.1.2
.247;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Lawson - {D928FCC0-F8A5-11d2-9041-00A024FF64ED} - C:\WINDOWS\system32\LawsonIE.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mimi
O15 - Trusted Zone: http://*.fifi.mottmac.com
O15 - Trusted Zone: http://contacts.mottmac.com
O15 - Trusted Zone: http://grouptracker.mottmac.com
O15 - Trusted Zone: http://marketqa.mottmac.com
O15 - Trusted Zone: http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mottmac.com
O15 - Trusted Zone: http://*.mimi (HKLM)
O15 - Trusted Zone: http://*.fifi.mottmac.com (HKLM)
O15 - Trusted Zone: http://contacts.mottmac.com (HKLM)
O15 - Trusted Zone: http://fifi.mottmac.com (HKLM)
O15 - Trusted Zone: http://grouptracker.mottmac.com (HKLM)
O15 - Trusted Zone: http://marketqa.mottmac.com (HKLM)
O15 - Trusted Zone: http://mimi.mottmac.com (HKLM)
O15 - Trusted Zone: http://misapp1.mottmac.com (HKLM)
O15 - Trusted Zone: http://misapp2.mottmac.com (HKLM)
O15 - Trusted Zone: http://*.mottmac.com (HKLM)
O15 - Trusted IP range: http://138.104.6.* (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F5CD0EBF-31FB-4BEA-B9AD-085A3C4F4E2C} (VoyagerCtl Class) - https://www.promapserver.co.uk/controls/latest/Voyager.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mottmac.group.int
O17 - HKLM\Software\..\Telephony: DomainName = mottmac.group.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mottmac.group.int
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thank you once again.

Brilliant!!

3
Tech Clinic / Vundo infection
« on: June 29, 2007, 09:21:03 AM »
P.S. This time I really am on my way out the door
Have a good weekend
[/quote]


heres the result. You have a good weekend too.

-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
  73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
  00
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"1"="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
  63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:0000035c
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
  50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
  33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:60,34,4e,2c,eb,2f,5b,34,7d,5e,9d,ab,45,83,fd,78,34,32,31,31,36,\
  35,31,64,00,00,00,00,ae,ba,00,00,9c,d1,1b,00,99,d0,bf,71,88,d1,1b,00,10,00,\
  00,00,00,00,00,00,dd,1f,7c,bd,f0,09,11,45,d7,98,1e,42

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:19,ad,90,cf,38,30,63,56,74

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:c3,85,eb,b0,fe,31

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:fc,b8,ed,bc,d5,e6,88,15,02,00,75,00,76,46,23,bf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:c2,68,2f,43,64,fa,c5,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031



4
Tech Clinic / Vundo infection
« on: June 29, 2007, 09:01:21 AM »
I've scanned all the files - I've attached a txt file below with the results.

I cant seem to download your find_it.bat file - keeps coming up as Corrupt.

I'll have another go but heres the txt file

[attachment=3243:scans.txt]

After 5pm UK time I'll not be in work till Monday so any further actions will have to wait till next week.

Cheers for your patience.

5
Tech Clinic / Vundo infection
« on: June 29, 2007, 03:28:04 AM »
Oh yeah - and thanks for all the time and effort spent checking this out for me - it's really appreciated.:-)

6
Tech Clinic / Vundo infection
« on: June 29, 2007, 03:21:22 AM »
Sorry for the delay - but I wasnt in work yesterday and therefore didnt have access to the infected machine.

Your comments:

[color=\"#ff8c00\"]Post a fresh hijackthis log[/color] - See below

[color=\"#ff8c00\"]Can you also post the log from combofix>>C:\Combofix.txt[/color] - See below HJTlog

[color=\"#ff8c00\"]I take it you know the domain .mottmac.com?[/color] - Yes it's the company domain. Fully trusted.

[color=\"#ff8c00\"]Also, I've only seen this entry in one other log, it could very well be legit
C:\WINDOWS\system32\LawsonIE.dll<-this file[/color] -

<H2 style="MARGIN: auto 0cm auto 36pt">[font=\"Times New Roman\"]Lawson is a a software installled on all our PCs by the company as it is used in the generation of electronic forms..... see below...
[font=\"Times New Roman\"][/font]
Updates Provided[/font]</H2>[font=\"Times New Roman\"]This release contains the following updates:[/font]

<H3 style="MARGIN: auto 0cm auto 36pt">[font=\"Times New Roman\"]Desktop and Toolkit components[/font]</H3>[font=\"Times New Roman\"]Component[/font]

[font=\"Times New Roman\"]Change description - (*) means regen required[/font]

[font=\"Times New Roman\"]BOBject.ocx[/font]

[font=\"Times New Roman\"]Enhancement of tellme.bob logging:
  - location of file is now <program folder>\logs
  - all forms toggle on/off with hotkey (Ctrl+Alt+L)[/font]

[font=\"Times New Roman\"]DetailControl.ocx[/font]

[font=\"Times New Roman\"](*) PT 66228: Resolves problem where detail columns are sometimes blanked out.
Repairs problem with DrillSelect returning a 'Server error...' when data contains special characters misinterpreted by the browser.
PT 67819: Special action not visible on Special Action menu. (PA52; V)
PT 68233: Hot keys regression issue. [/font]

[font=\"Times New Roman\"]DrillXPlore.ocx[/font]

[font=\"Times New Roman\"]PT 67913: Down arrow on select broken (MA60.2).[/font]

[font=\"Times New Roman\"]FieldData.dll[/font]

[font=\"Times New Roman\"]PT 66765: Resolves issues with some key data not being passed from one form to another.
Changes of date formatting for international support.[/font]

[font=\"Times New Roman\"]LawAttachments.dll[/font]

[font=\"Times New Roman\"](*) PT 66236: Changed to support form and row level attachments.
(*) PT 68151: Display creation/modification/UserID info.
      PT 68151: Follow up to provide creation and modified
username information for an attachment record.[/font]

[font=\"Times New Roman\"]LawRptCtrl.ocx[/font]

[font=\"Times New Roman\"]PT 67945: Token column not displaying the token number
within the completed jobs screen.
PT 66960: Resolves problem for reports with more than 50 pages do not have navigation.[/font]

[font=\"Times New Roman\"]LawsonCombo.ocx[/font]

[font=\"Times New Roman\"]Changes for TextValList versus DBValList.[/font]

[font=\"Times New Roman\"]LawsonDate.ocx[/font]

[font=\"Times New Roman\"]PT#68736 - Detect partial and invalid dates entered into Lawson date controls.[/font]

[font=\"Times New Roman\"]LawsonIE.dll
(WebBand)[/font]

[font=\"Times New Roman\"]A menu item is provided to link to server-based on-line help manuals.[/font]

[font=\"Times New Roman\"]LawsonXlate.ocx[/font]

[font=\"Times New Roman\"]PT 67549: Resolves problem of field labels shifting on the form when not all translations are provided.[/font]

[font=\"Times New Roman\"][/font]

[font="Times New Roman"]Translate initially available command buttons. Also, when a translation phrase is not available, the original phrase is used.[/font]



Logfile of HijackThis v1.99.1
Scan saved at 09:05, on 2007-06-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\llo36863\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mimi.mottmac.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ukcolopxLB.mottmac.group.int:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mottmac.com;*.mottmac.group.int;*.group.int;194.60.85.*;10.*;138.104.*;192.1.2
.247;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Lawson - {D928FCC0-F8A5-11d2-9041-00A024FF64ED} - C:\WINDOWS\system32\LawsonIE.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mimi
O15 - Trusted Zone: http://*.fifi.mottmac.com
O15 - Trusted Zone: http://contacts.mottmac.com
O15 - Trusted Zone: http://grouptracker.mottmac.com
O15 - Trusted Zone: http://marketqa.mottmac.com
O15 - Trusted Zone: http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mottmac.com
O15 - Trusted Zone: http://*.mimi (HKLM)
O15 - Trusted Zone: http://*.fifi.mottmac.com (HKLM)
O15 - Trusted Zone: http://contacts.mottmac.com (HKLM)
O15 - Trusted Zone: http://fifi.mottmac.com (HKLM)
O15 - Trusted Zone: http://grouptracker.mottmac.com (HKLM)
O15 - Trusted Zone: http://marketqa.mottmac.com (HKLM)
O15 - Trusted Zone: http://mimi.mottmac.com (HKLM)
O15 - Trusted Zone: http://misapp1.mottmac.com (HKLM)
O15 - Trusted Zone: http://misapp2.mottmac.com (HKLM)
O15 - Trusted Zone: http://*.mottmac.com (HKLM)
O15 - Trusted IP range: http://138.104.6.* (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F5CD0EBF-31FB-4BEA-B9AD-085A3C4F4E2C} (VoyagerCtl Class) - https://www.promapserver.co.uk/controls/latest/Voyager.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mottmac.group.int
O17 - HKLM\Software\..\Telephony: DomainName = mottmac.group.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mottmac.group.int
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Combo Fix log:=

"LLO36863" - 2007-06-27 10:27:24 - ComboFix 07-06-27.7 - Service Pack 2  NTFS  


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\opnolii.dll
C:\WINDOWS\system32\urqrsqp.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

(((((((((((((((((((((((((   Files Created from 2007-05-27 to 2007-06-27  )))))))))))))))))))))))))))))))


2007-06-27 10:26 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 08:54 66,112 --a------ C:\WINDOWS\system32\jodjwjfe.dll
2007-06-27 08:49 128,576 --a------ C:\WINDOWS\system32\webxwvxh.dll
2007-06-26 12:38 <DIR> d-------- C:\Program Files\Messenger
2007-06-26 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-25 15:59 <DIR> d-------- C:\VundoFix Backups
2007-06-25 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-25 10:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-25 10:04 4,672 --a------ C:\WINDOWS\system32\teekxecc.exe
2007-06-25 09:19 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-25 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-19 17:15 <DIR> d-------- C:\DOCUME~1\llo36863\APPLIC~1\Help
2007-06-19 16:55 <DIR> d-------- C:\DOCUME~1\llo36863\APPLIC~1\MapInfo
2007-06-11 13:21 <DIR> d-------- C:\Program Files\Virtual Earth 3D


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 09:30:32 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-26 14:11:08 -------- d-----w C:\Program Files\BeClean
2007-06-20 13:28:39 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\ICAClient
2007-05-23 08:58:25 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\Wallingford Software
2007-05-22 16:05:06 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\Teleca
2007-05-22 16:04:44 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\Sony Ericsson
2007-05-22 16:02:18 -------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-05-22 16:01:52 -------- d-----w C:\Program Files\Sony Ericsson
2007-05-18 10:24:41 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\AdobeUM
2007-05-17 14:44:50 -------- d-----w C:\Program Files\IVT Corporation
2007-05-17 14:44:49 -------- d--h--w C:\Program Files\InstallShield Installation Information


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0F558093-6F50-4E45-8360-E3C0B6D5C638}=C:\WINDOWS\system32\geede.dll []
{48D77D62-67BC-4FDC-B428-EF4219AEF5B0}=C:\WINDOWS\system32\awtqp.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{59415563-2A4D-4C59-8774-4329D298410A}=C:\WINDOWS\system32\ddabc.dll []
{E65173BB-4000-4E0F-9FB4-5EF6669BB49D}=C:\WINDOWS\system32\pmkjk.dll []
{F67899AE-3B79-4542-A892-39D408706202}=C:\WINDOWS\system32\awtqn.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 21:39 C:\WINDOWS\RTHDCPL.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33]
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"1"="C:\Program Files\Internet Explorer\IEXPLORE.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddabc]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjk]

 

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 10:30:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 10:31:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-27 10:31

 --- E O F ---

7
Tech Clinic / Vundo infection
« on: June 27, 2007, 04:52:09 AM »
Hi all,
 Managed to catch the vundo trojan the other day - I've run spybot, vundofix, combifix, atf cleaner etc and hopefully cleaned the machine....

Heres a HJT log - can someone check this out and let me know if there's anything else I need to do ... your help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:43, on 2007-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\llo36863\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mimi.mottmac.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ukcolopxLB.mottmac.group.int:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mottmac.com;*.mottmac.group.int;*.group.int;194.60.85.*;10.*;138.104.*;192.1.2
.247;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F558093-6F50-4E45-8360-E3C0B6D5C638} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {48D77D62-67BC-4FDC-B428-EF4219AEF5B0} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {59415563-2A4D-4C59-8774-4329D298410A} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8D99D2A3-317C-4929-8A5D-21140259D93A} - (no file)
O2 - BHO: (no name) - {E65173BB-4000-4E0F-9FB4-5EF6669BB49D} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O2 - BHO: (no name) - {F67899AE-3B79-4542-A892-39D408706202} - C:\WINDOWS\system32\awtqn.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Lawson - {D928FCC0-F8A5-11d2-9041-00A024FF64ED} - C:\WINDOWS\system32\LawsonIE.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mimi
O15 - Trusted Zone: http://*.fifi.mottmac.com
O15 - Trusted Zone: http://contacts.mottmac.com
O15 - Trusted Zone: http://grouptracker.mottmac.com
O15 - Trusted Zone: http://marketqa.mottmac.com
O15 - Trusted Zone: http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mottmac.com
O15 - Trusted Zone: http://*.mimi (HKLM)
O15 - Trusted Zone: http://*.fifi.mottmac.com (HKLM)
O15 - Trusted Zone: http://contacts.mottmac.com (HKLM)
O15 - Trusted Zone: http://fifi.mottmac.com (HKLM)
O15 - Trusted Zone: http://grouptracker.mottmac.com (HKLM)
O15 - Trusted Zone: http://marketqa.mottmac.com (HKLM)
O15 - Trusted Zone: http://mimi.mottmac.com (HKLM)
O15 - Trusted Zone: http://misapp1.mottmac.com (HKLM)
O15 - Trusted Zone: http://misapp2.mottmac.com (HKLM)
O15 - Trusted Zone: http://*.mottmac.com (HKLM)
O15 - Trusted IP range: http://138.104.6.* (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F5CD0EBF-31FB-4BEA-B9AD-085A3C4F4E2C} (VoyagerCtl Class) - https://www.promapserver.co.uk/controls/latest/Voyager.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mottmac.group.int
O17 - HKLM\Software\..\Telephony: DomainName = mottmac.group.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mottmac.group.int
O20 - Winlogon Notify: ddabc - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Pages: [1]