Darek Z
2009-01-08, 19:34
I'm new to this forum so please be kind.
Recently infected with multiple Trojans that keep re-appearing after a successful fix by Spybot S&D scan. Here is my HJT log
Please advise as this is getting worse. Was originally infected a week ago and at that time it was only two trojans.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:23 PM, on 1/8/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe
C:\WINDOWS\system32\mabidwe.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SourceOffSite Server\SosService.exe
C:\WINDOWS\system32\soxpeca.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\Program Files\Citrix\system32\cdmsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Citrix\Streaming Client\RadeObj.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\SSONSVR.EXE
C:\Program Files\Citrix\System32\wfshell.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Citrix\Streaming Client\RadeObj.exe
C:\Program Files\Workplace Applications\wpa.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [04EB85A6_7175_4E87_9583_3D80793AD067] Temporary value - please remove
O4 - HKLM\..\Run: [IcaBar] "C:\Program Files\Citrix\system32\icabar.exe" /adminonly
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [zapimutomu] Rundll32.exe "C:\WINDOWS\system32\hetatevi.dll",s
O4 - HKLM\..\Run: [709cc30e] rundll32.exe "C:\WINDOWS\system32\qpbxewum.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3293674092-285027072-1784590874-1033\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'ctx_cpsvcuser')
O4 - HKUS\S-1-5-21-3293674092-285027072-1784590874-1034\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Ctx_StreamingSvc')
O4 - HKUS\S-1-5-21-927311336-2038346563-2281896562-1159\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'azabel')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182284224686
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://devserver.workplacegroup.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workplacegroup.net
O17 - HKLM\Software\..\Telephony: DomainName = workplacegroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{700F1B96-46DC-44FA-AC43-F75825ACBE39}: NameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7A5FDFF-C31D-43AC-896B-4FC7C54337F7}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workplacegroup.net
O20 - AppInit_DLLs: mfaphook.dll,
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: Citrix Client Network (CdmService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\cdmsvc.exe
O23 - Service: Citrix Encryption Service - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\encsvc.exe
O23 - Service: Citrix SMA Service - Citrix Systems Inc. - C:\Program Files\Citrix\Sma\SmaService.exe
O23 - Service: Citrix Virtual Memory Optimization - Citrix Systems, Inc. - C:\Program Files\Citrix\Server Resource Management\Memory Optimization Management\Program\CtxSFOSvc.exe
O23 - Service: Citrix Health Monitoring and Recovery (CitrixHealthMon) - Citrix Systems, Inc - C:\Program Files\Citrix\HealthMon\HCAService.exe
O23 - Service: CitrixLicensing - Macrovision Corporation - C:\Program Files\Citrix\Licensing\LS\lmgrd.exe
O23 - Service: Citrix WMI Service (CitrixWMIService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\citrix\WMI\ctxwmisvc.exe
O23 - Service: Citrix XTE Server (CitrixXTEServer) - Citrix Systems, Inc. - C:\Program Files\Citrix\XTE\bin\XTE.exe
O23 - Service: Citrix Licensing WMI (Citrix_GTLicensingProv) - Unknown owner - C:\Program Files\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe
O23 - Service: Citrix Print Manager Service (cpsvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\CpSvc.exe
O23 - Service: Citrix CPU Utilization Mgmt/Resource Mgmt (ctxcpuSched) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpusched.exe
O23 - Service: Citrix XML Service (CtxHttp) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\ctxxmlss.exe
O23 - Service: Citrix License Management Console (CTXLMC) - Alexandria Software Consulting - C:\Program Files\Citrix\Licensing\LMC\Tomcat\bin\tomcat.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Citrix Services Manager (IMAAdvanceSrv) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe
O23 - Service: Citrix Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: Citrix MFCOM Service (MFCom) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\mfcom.exe
O23 - Service: Microsoft File Manager Services (mscdcosd) - Unknown owner - C:\WINDOWS\system32\mscdco.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: Citrix Streaming Service (RadeSvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
O23 - Service: Citrix Resource Manager Mail (ResourceManagerMail) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\IMA\MailService.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: SourceOffSite 4 Server (SosSvrSvc.net) - SourceGear Corporation - C:\Program Files\SourceOffSite Server\SosService.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe
--
End of file - 12065 bytes
Thank you in advance for any and all of your help!
Darek
Recently infected with multiple Trojans that keep re-appearing after a successful fix by Spybot S&D scan. Here is my HJT log
Please advise as this is getting worse. Was originally infected a week ago and at that time it was only two trojans.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:23 PM, on 1/8/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe
C:\WINDOWS\system32\mabidwe.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SourceOffSite Server\SosService.exe
C:\WINDOWS\system32\soxpeca.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\Program Files\Citrix\system32\cdmsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Citrix\Streaming Client\RadeObj.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Citrix\ICA Client\SSONSVR.EXE
C:\Program Files\Citrix\System32\wfshell.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Citrix\Streaming Client\RadeObj.exe
C:\Program Files\Workplace Applications\wpa.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [04EB85A6_7175_4E87_9583_3D80793AD067] Temporary value - please remove
O4 - HKLM\..\Run: [IcaBar] "C:\Program Files\Citrix\system32\icabar.exe" /adminonly
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [zapimutomu] Rundll32.exe "C:\WINDOWS\system32\hetatevi.dll",s
O4 - HKLM\..\Run: [709cc30e] rundll32.exe "C:\WINDOWS\system32\qpbxewum.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3293674092-285027072-1784590874-1033\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'ctx_cpsvcuser')
O4 - HKUS\S-1-5-21-3293674092-285027072-1784590874-1034\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Ctx_StreamingSvc')
O4 - HKUS\S-1-5-21-927311336-2038346563-2281896562-1159\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'azabel')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182284224686
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://devserver.workplacegroup.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workplacegroup.net
O17 - HKLM\Software\..\Telephony: DomainName = workplacegroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{700F1B96-46DC-44FA-AC43-F75825ACBE39}: NameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7A5FDFF-C31D-43AC-896B-4FC7C54337F7}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workplacegroup.net
O20 - AppInit_DLLs: mfaphook.dll,
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: Citrix Client Network (CdmService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\cdmsvc.exe
O23 - Service: Citrix Encryption Service - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\encsvc.exe
O23 - Service: Citrix SMA Service - Citrix Systems Inc. - C:\Program Files\Citrix\Sma\SmaService.exe
O23 - Service: Citrix Virtual Memory Optimization - Citrix Systems, Inc. - C:\Program Files\Citrix\Server Resource Management\Memory Optimization Management\Program\CtxSFOSvc.exe
O23 - Service: Citrix Health Monitoring and Recovery (CitrixHealthMon) - Citrix Systems, Inc - C:\Program Files\Citrix\HealthMon\HCAService.exe
O23 - Service: CitrixLicensing - Macrovision Corporation - C:\Program Files\Citrix\Licensing\LS\lmgrd.exe
O23 - Service: Citrix WMI Service (CitrixWMIService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\citrix\WMI\ctxwmisvc.exe
O23 - Service: Citrix XTE Server (CitrixXTEServer) - Citrix Systems, Inc. - C:\Program Files\Citrix\XTE\bin\XTE.exe
O23 - Service: Citrix Licensing WMI (Citrix_GTLicensingProv) - Unknown owner - C:\Program Files\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe
O23 - Service: Citrix Print Manager Service (cpsvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\CpSvc.exe
O23 - Service: Citrix CPU Utilization Mgmt/Resource Mgmt (ctxcpuSched) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpusched.exe
O23 - Service: Citrix XML Service (CtxHttp) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\ctxxmlss.exe
O23 - Service: Citrix License Management Console (CTXLMC) - Alexandria Software Consulting - C:\Program Files\Citrix\Licensing\LMC\Tomcat\bin\tomcat.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Citrix Services Manager (IMAAdvanceSrv) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe
O23 - Service: Citrix Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: Citrix MFCOM Service (MFCom) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\mfcom.exe
O23 - Service: Microsoft File Manager Services (mscdcosd) - Unknown owner - C:\WINDOWS\system32\mscdco.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: Citrix Streaming Service (RadeSvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
O23 - Service: Citrix Resource Manager Mail (ResourceManagerMail) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\IMA\MailService.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: SourceOffSite 4 Server (SosSvrSvc.net) - SourceGear Corporation - C:\Program Files\SourceOffSite Server\SosService.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe
--
End of file - 12065 bytes
Thank you in advance for any and all of your help!
Darek