One update, I did notice that the reg keys that LDAV was trying to create (or so it looks like) were associated with the virus that eventually was quarantined.
Article on ThreatReport: http://www.threatexpert.com/report.aspx?md5=81b6b84e438551702864df108d32da46
*Notice the reg keys listed at the bottom. This varient was just discovered yesterday and posted on the virus watch website. Just trying to get an idea of what ldav's true role was in this situation. Was it trying to quarantine the regkeys/files? Could LDAV been hijacked and used to infect the local system? Questions I don't like having bounce around in my head right before Friday afternoon happy hour
LDAV.EXE does not do much activity that should be touching the registry. LDAV.EXE is simply the user interface.
Softmon.EXE does have code to modify \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.
However, I do get the feeling that this is malicious activity that LANDesk Antivirus is not detecting.
Dave, I agree. Have there been any reports of LDAV.exe getting hijacked? I checked the file sizes ldav.exe on the machine and an unsuspecting machine, both matched, so I don't initially think the executable had been replaced. Could the executable itself have a vulnerability that allows other process to inject code into it?