Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware, Trojan W32/Sdbot.dr!ADA37D45

Started by luisjf , Mar 29 2010 02:54 PM

Please log in to reply

#1
luisjf

Posted 29 March 2010 - 02:54 PM

New Member

Member
7 posts

Dear all
I'm faced with a big number of viruses simpthoms on a network, in my duty, I am in charge.
We have several computers, about 15, with win2k, and 4 others with 2kserver, and another one with 2003 server. Since we are using special programs, not liked by antivirus programs, and most part of the computers are old, PIIat300mhz. And all are in a closed network, no access to outside, we have not used antivirus programs until now. Those programs usually slow down the very old machines.
The first symptoms were and still are, some avise of dlls not found, related with some name like 63.scr and several more numbers. Sometimes 10 or 20 advises like this. I found those files in c:\Winnt\system, in one computer with win2k server. Sometime later when I have tried to use an antivirus, I found the same symptom on another computer. Finally a special program used to remove spybots, has found those ones, xxx.scr, they appear on the \default user\settings\microsoft\ie5defenitions, on 4 subdirectories, several files like [x1]. We have found too, the presence of a process on winnt\system, named SMSC.exe. We think that we have disconnected all machines from the network, and used that program, that supposely removes that symptoms. After reconnection of all machines, all symptoms returned again! Some more problems noted are, the task manager bloking by administrator, and slow network, some computers disconnect from the network, time to time,
Those problems started at some time ago when we started to use more USB pens to retrieve data and graphics in that machine with win2003 server, where is installed a mysqldatabase. That machine is showing from sometime ago, a strange behaviour, like redesigning all desktop, time to time, and freezing time to time, avoiding even the user to open the task manager. The only way is to shuttdown the machine, to recover, and send a command to restore the database, that corrupts always, after that.
Point 1
After this big explanation, I am asking you what are the correct method and steps to remove all viruses/trojans. Should I really disconnect all machines from the network, clean all and then reconect? Could I be shure that the virus/trojan is comming from the network, or perhaps after cleaning, the virus remains still hidden on some place of disk computer?
Point2
After reading/and logging in your page, I have tried to use your recommended program malware removal "Malwarebytes" that showed the presence of 83 problems on an infected machine. After the order of cleaning, selected files, I have done a reboot, and a new scan after some minutes, and it found again viruses. I think that they are comming from the network.
Point3
I am trying to paste here the result obtained on one of the scans of the "malwarebytes" scan done by me. I can post more next monday if you need, and can help on my problem.
Since the program has portuguese language, the beginning is in that language. I am sorry for that!
I will try to use english, if I can find howto.
Since we use a closed network, how can I update the "malwarebytes" program, is there a file to download? As you now, I am new on this kind of things, and is the first time I am faced with a big problem like this.
Many thanks for your time and help
luis
REPORT:
Malwarebytes' Anti-Malware 1.44
Vers�o do banco de dados: 3510
Windows 5.0.2195 Service Pack 4
Internet Explorer 5.00.3700.1000

27-03-2010 12:23:43
mbam-log-2010-03-27 (12-23-43).txt

Tipo de Verifica��o: R�pida
Objetos verificados: 82989
Tempo decorrido: 6 minute(s), 49 second(s)

Processos da Mem�ria infectados: 1
M�dulos de Mem�ria Infectados: 0
Chaves do Registo infectadas: 2
Valores do Registo infectados: 1
�tens do Registo infectados: 0
Pastas infectadas: 0
Ficheiros infectados: 79

Processos da Mem�ria infectados:
C:\WINNT\system\smsc.exe (Backdoor.IRCBot) -> Failed to unload process.

M�dulos de Mem�ria Infectados:
(Nenhum item malicioso foi detectado)

Chaves do Registo infectadas:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\SVCWINSPOOL (Backdoor.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\SVCWINSPOOL (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Valores do Registo infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wssvc (Backdoor.IRCBot) -> Quarantined and deleted successfully.

�tens do Registo infectados:
(Nenhum item malicioso foi detectado)

Pastas infectadas:
(Nenhum item malicioso foi detectado)

Ficheiros infectados:
C:\WINNT\system\smsc.exe (Backdoor.IRCBot) -> Delete on reboot.
C:\WINNT\system32\00.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\02.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\03.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\04.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\05.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\06.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\07.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\08.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\10.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\11.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\12.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\13.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\14.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\15.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\16.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\17.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\18.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\20.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\21.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\22.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\23.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\24.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\25.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\26.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\27.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\28.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\30.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\31.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\32.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\34.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\35.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\36.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\37.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\38.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\40.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\41.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\42.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\43.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\44.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\46.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\47.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\48.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\50.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\51.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\52.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\53.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\54.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\55.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\56.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\57.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\60.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\61.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\62.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\63.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\64.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\65.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\66.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\67.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\68.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\70.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\71.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\72.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\73.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\74.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\75.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\76.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\77.scr (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINNT\system32\78.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\80.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\81.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\82.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\83.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\84.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\85.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\86.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\87.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system32\88.scr (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\WINNT\system\smscLIXO.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.

#2
RKinner

Posted 02 April 2010 - 01:23 PM

Malware Expert

Expert
24,625 posts

Your bug spreads both via the network and via USB drives. MBAM is not removing the driver and you aren't patching the OS to remove the security hole so it is no surprise that it comes back. This is a write up on one version of your bug:

http://vil.mcafeesec...nt/v_157955.htm

Here is another:

http://vil.mcafeesec...nt/v_159387.htm

There is a win2K patch for this:
http://www.microsoft...;displaylang=en

and for your 2003 box:
http://www.microsoft...n/MS08-067.mspx

You will need to install the patch after clearing up the infection.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f

**********************************************************************

Start, Run, cmd, OK to bring up a new Command Prompt window. Rightclick and select Paste and the above text should appear. Make sure you got it all and then hit Enter.

Close the Command Prompt window.

Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

For active protection against all USB drives get Autorun Eater v2.4 from:

http://www.filefront.../aesetup2.4.exe

It will stay active and prevent an infected usb drive from reinfecting your system.

What you can also do is boot into Safe Mode with Command Prompt. Then

cd \windows\system

attrib -r -h -s smsc.exe

del smsc.exe

mkdir smsc.exe

attrib -r -h -s smscLIXO.exe

del smscLIXO.exe

mkdir smscLIXO.exe

cd \windows\system32

attrib -r -h -s sysdrv32.sys

del sysdrv32.sys

mkdir sysdrv32.sys

attrib -r -h -s *.scr

del *.scr

mkdir 00.scr
mkdir 01.scr
...
mkdir 99.scr

(It's a bit tedious but you could write a little script to do it or put the whole thing in a batch file.)

That should keep the bug from coming back since windows won't allow a file with the same name as a folder. I would like to see an OTL log from an infected system. (Step 5 of the Malware Removal guide at the top of this forum.)

Ron

Edited by RKinner, 02 April 2010 - 02:56 PM.

#3
luisjf

Posted 12 April 2010 - 11:05 AM

New Member

Topic Starter
Member
7 posts

Hello Ron
Thanks for the answer, since there were long time to get an answer, I thought that nobody could answer me. I was in little hollidays, meanwhile.
About my problem, I will do things you have suggested, and will post tomorrow, or after tomorrow, a new replay with my conclusions. This is a very good help to start.
Thanks again
luis fernandes

#4
RKinner

Posted 12 April 2010 - 11:32 AM

Malware Expert

Expert
24,625 posts

No problem. Whenever you get the time.

Ron

#5
luisjf

Posted 13 April 2010 - 10:53 AM

New Member

Topic Starter
Member
7 posts

Hello Ron
Thanks again for your attention. I have done part of the job, I have cleaned computers one by one, using Stinger, FlashCleaner and installed the anti-autorun program you have pointed. Next I installed the micorsoft patch e each one. It seems that most part of the virus traffic has gone. Malware, active on most computers, doesn't show now virus activity Today I had no time to complete the job, and tomorrow I will start again. Meanwhile, could you explain what you mean with the commmand to be used in dos/prompt, you have posted between ***, since the cmd says that, that command reg.exe, delete, doesnt't exist in CMD prompt, or dos. I suppose that you were talking about regedit.exe, but I had no time to test today. I have inspected the HKCU, focused on this command and didn't find "mountpoints/2, in one computer I have tried. For me it is apparent that this HKCU is related with some autorun, or automount disks, could you explain the meaning of /f.
The lines of command to be done manualy, are they to remove files like smsc.exe, only, or are they to create a file of the same name, just to prevent the new file/fromvirus, to be reinstalled?
Pse clarify for me those two things.
Tomorrow I will post one OTL log, or more who knows.
thanks again
luis fernandes

#6
RKinner

Posted 13 April 2010 - 08:06 PM

Malware Expert

Expert
24,625 posts

The reg command may not exist in Win2K. No longer have one to test on. What the /f does is remove everything under the key [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2] which you can manually do with regedit.

If you look at your OTL log under O33 you will see what we are trying to get rid of:

O33 - MountPoints2\{783e9451-a47c-11dd-97df-00112fb69460}\Shell\AutoRun\command - "" = K:\setupSNK.exe -- File not found
O33 - MountPoints2\{fb81a4ce-3e1f-11dd-97a7-00112fb69460}\Shell\AutoRun\command - "" = O:\wd_windows_tools\WDEULA.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\wd_windows_tools\WDEULA.exe -- File not found

These are just examples (of benign things). Can't seem to find a bad one at the moment. This key tells windows what to do if it sees a familiar file on a USB drive.

Again I don't have a Win2K any more so it's possible that it doesn't even use the key.

We want to remove the bad file and replace it with a folder of the same name. Since Windows can't have a file and a folder in the same place with the same name this will prevent the infection from making itself at home again. This is probably not necessary if you patch every PC and kill off the infection once and for all but if you had to do one at a time and reconnect it to a dirty network then it would be one way of preventing it from getting reinfected.

Ron

#7
luisjf

Posted 14 April 2010 - 05:01 AM

New Member

Topic Starter
Member
7 posts

Hello Ron
Thanks again for your time, if you can read this new replay, it is very important for me.
Today I have done an OTL search on one computer, of the infected ones, I will attach it here. (computer name, SNT-1_S11).
After that, I have installed those two programs to avoid autoruns to execute or reinfect, and do a cleaning if necessary.
Next I have installed same progams in one XP installed just to connect USB pens, to extract data, (the only used now, just to avoid problems on the 2003 server)
After some tests I found several pens with infection, or something detected like that, by the program aesetup2.4. In this (fase), I have noticed a strange behaviour, (in the XP computer we have added to the network just to connect USB pens to extact data), the aesetup2.4, was blaming about autorun in the pen. After cleaning order, the symptoms returned again and again several times. Finally I have used the "Disinfector" and the symptoms were stopped. Tried another USNpen and the behaviour returned again. Again I have used the disinfector, with sucess.
I have done an OTL scann in this machine, and will attach it too. I found on the log, something related with our talked "mountpoints2", but I do not know what that means. Could you take a look on it and advise what to do now?
(Computer name "logger") or something like HPxxxxxx
thanks again
luis fernandes

Attached Files

OTL_logger2.Txt 49.8KB 137 downloads
OTL_SNT_1_S11.Txt 33.63KB 179 downloads
Extras_SNT_1_S11.Txt 15.97KB 176 downloads

#8
RKinner

Posted 14 April 2010 - 09:00 AM

Malware Expert

Expert
24,625 posts

Please Copy and Paste your logs. Do not attach. Makes it much harder for us to read and analyze.

O33 - MountPoints2\{369d242c-37f5-11df-b334-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()

What this is saying is that on drive E: there is a Read Only, Hidden, System file called ise32.exe and the file can be found in \Recycler\\S-1-5-21-1482476501-1644491937-682003330-1013\. Since no legitimate file would run from the recycle bin this is definitely bad.

However,

O32 - AutoRun File - [2010/04/12 20:27:46 | 000,000,000 | ---D | M] - E:\autorun.inf

says there is a directory called autorun.inf on E: in the root directory. This is what flash_disinfector does to keep the usb drive from running. The infection uses a file (not a directory) of the same name (which you can open in notepad) and which would normally tell windows to run the file on E: in \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe.

NOTE: To see hidden system files you need to right click on Start and select Explore then Tools, Folder Options,
# After the new window appears select the View tab.
# Put a checkmark in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
# Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
# Remove the checkmark from the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button

(Above instructions are for XP but I think it's about the same in Win2K)

Now this one:

O33 - MountPoints2\{83ba3527-110c-11dd-b327-001560591645}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found

is legitimate. LaunchU3.exe is used by certain brands of USB drives such as ScanDisk. However, from what I have read it does not work well on Win2K. I would not use any drives which have U3 on the housing.

"LaunchU3 .exe belongs to the U3Launcher software created by U3 LLC. This software provides proprietary method to auto launch applications from specially formatted USB flash drives. These USB flash drives are called smart drives and have the U3 Launchpad installed on them.

LaunchU3.exe copies and unpacks zip files on the host machine. This process also presents the user interface. Another file, autorun.inf, automatically launches the LaunchU3 executable if auto-run is enabled for your CD/DVD drive. LaunchU3 may also be configured to auto-run U3 drives even when the CD auto-run feature is disabled.

If you insert a smart drive into a PC, the LaunchPad.exe program runs automatically. If you click on the icon in the system tray, a user interface will appear along with the list of supported functions. You may add or remove programs and view program information. You may also be able to set the device to run automatically on Startup.

What are the problems associated with LaunchU3.exe?

Although this feature is quite handy, it is available only on newer Windows operating systems-Windows XP and Windows Vista. The feature is not available on older operating systems and other operating systems, such as Mac. LaunchU3.exe is known to cause various problems on Mac computers. The LauchhU3.exe found on Mac computer is usually locked and you can delete it if it is creating problems. To delete this file, right-click on the file, clear the check box that locks the file. Now, you should be able to delete the file."

To remove the mountpoints (on the OTL_Logger2 system) if the reg commands does not work you can use OTL:

Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:OTL
O33 - MountPoints2\{369d242c-37f5-11df-b334-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{369d242c-37f5-11df-b334-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{369d242d-37f5-11df-b334-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{369d242d-37f5-11df-b334-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{3f6ecfa6-1985-11dc-b31d-000e0cb8ee9a}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{3f6ecfa6-1985-11dc-b31d-000e0cb8ee9a}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{7c314325-2ddc-11df-b333-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{7c314325-2ddc-11df-b333-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{83ba3527-110c-11dd-b327-001560591645}\Shell - "" = AutoRun
O33 - MountPoints2\{83ba3527-110c-11dd-b327-001560591645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{83ba3527-110c-11dd-b327-001560591645}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{83ba352c-110c-11dd-b327-001560591645}\Shell - "" = AutoRun
O33 - MountPoints2\{83ba352c-110c-11dd-b327-001560591645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{83ba352c-110c-11dd-b327-001560591645}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{83ba352d-110c-11dd-b327-001560591645}\Shell\AutoRun\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{83ba352d-110c-11dd-b327-001560591645}\Shell\open\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{83ba352f-110c-11dd-b327-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{83ba352f-110c-11dd-b327-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{9b287992-e941-11dd-b32e-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{9b287992-e941-11dd-b32e-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{b5e5aee0-908d-11dd-b328-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{b5e5aee0-908d-11dd-b328-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{f18588c5-b489-11dd-b32c-001560591645}\Shell\AutoRun\command - "" = M:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{f18588c5-b489-11dd-b32c-001560591645}\Shell\open\command - "" = M:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{f18588c7-b489-11dd-b32c-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{f18588c7-b489-11dd-b32c-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{f18588c8-b489-11dd-b32c-001560591645}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{f18588c8-b489-11dd-b32c-001560591645}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008/04/15

:Commands
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

OTL_Logger2 shows that these three files were modified recently:

[2010/04/01 11:15:42 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/01 11:15:42 | 000,000,506 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/01 11:15:42 | 000,000,211 | RHS- | M] () -- C:\boot.ini

You can open them in notepad to see what is going on. If you are not sure then copy and paste the text and put it in a reply.

In OTL_SNT_1_S11.Txt we can see the infection is still present:

[2010-04-13 03:09:34 | 000,067,584 | ---- | C] () -- C:\WINNT\System32\75.scr
[2010-04-12 18:20:51 | 000,067,584 | ---- | C] () -- C:\WINNT\System32\73.scr
[2010-04-12 16:25:42 | 000,063,488 | ---- | C] () -- C:\WINNT\System32\60.scr

Though it doesn't appear to be active.

Ron

#9
luisjf

Posted 19 April 2010 - 01:23 PM

New Member

Topic Starter
Member
7 posts

Hello Ron
Thanks again for your time and patience.
I have done an OTL "fix" with paramenters you have posted, and now I am comming back with a new OTL scanning result on that machine. Here it is:

OTL logfile created on: 4/19/2010 10:31:54 AM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\mac\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format:

503.00 Mb Total Physical Memory | 59.00 Mb Available Physical Memory | 12.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 9.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.51 Gb Total Space | 62.84 Gb Free Space | 84.34% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
Drive E: | 3.72 Gb Total Space | 0.65 Gb Free Space | 17.45% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP22552173873
Current User Name: mac
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mac\Desktop\OTL.exe
PRC - [2009/05/26 22:57:08 | 000,411,108 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\billy.exe
PRC - [2009/05/26 22:54:10 | 000,549,400 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\oldmcdonald.exe
PRC - [2009/04/02 09:36:14 | 000,204,800 | ---- | M] () -- C:\Program Files\ILC\MaxView\Persistence Service\wrapper.exe
PRC - [2007/12/14 23:21:44 | 005,754,880 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
PRC - [2005/09/23 13:43:44 | 000,131,072 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe
PRC - [2005/09/23 13:43:44 | 000,102,400 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
PRC - [2005/08/26 15:55:46 | 000,049,248 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_05\bin\java.exe
PRC - [2005/04/17 12:31:56 | 000,038,648 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\CBA\pds.exe
PRC - [2005/04/17 12:31:42 | 000,908,992 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec System Center\NscTop.exe
PRC - [2005/04/17 12:31:18 | 001,726,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\SAV\Rtvscan.exe
PRC - [2005/04/17 12:30:48 | 000,085,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\SAV\VPTray.exe
PRC - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\SAV\DefWatch.exe
PRC - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/04/08 15:52:30 | 000,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/09/15 12:34:46 | 000,041,042 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
PRC - [2004/08/04 04:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 04:00:00 | 000,214,528 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows NT\Accessories\wordpad.exe
PRC - [2004/08/04 00:56:58 | 000,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe
PRC - [2004/06/20 20:45:28 | 000,630,854 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe
PRC - [2003/07/30 13:08:58 | 000,143,360 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [2002/09/20 19:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2002/07/26 09:42:40 | 000,376,832 | ---- | M] () -- C:\Program Files\ILC\MaxView\Broker\SNMP\snmpdm.exe
PRC - [2002/07/26 09:42:40 | 000,073,728 | ---- | M] () -- C:\Program Files\ILC\MaxView\Broker\SNMP\msnsaagt.exe
PRC - [1999/03/30 19:38:18 | 000,043,280 | R--- | M] () -- C:\WINDOWS\system32\rkillsrv.exe
PRC - [1998/07/24 16:38:52 | 000,018,192 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rcmdsvc.exe

========== Modules (SafeList) ==========

MOD - [2010/03/26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mac\Desktop\OTL.exe
MOD - [2004/08/04 04:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/04/02 09:36:14 | 000,204,800 | ---- | M] () [Auto | Running] -- C:\Program Files\ILC\MaxView\Persistence Service\wrapper.exe -- (MaxView Persistence Service)
SRV - [2007/12/14 23:21:44 | 005,754,880 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [2005/09/23 13:43:44 | 000,102,400 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe -- (Tomcat5)
SRV - [2005/04/17 12:31:56 | 000,038,648 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\system32\CBA\pds.exe -- (Intel PDS)
SRV - [2005/04/17 12:31:42 | 000,908,992 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec System Center\NscTop.exe -- (NSCTOP)
SRV - [2005/04/17 12:31:18 | 001,726,656 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\SAV\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\SAV\DefWatch.exe -- (DefWatch)
SRV - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/04/08 15:54:50 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2004/09/15 12:33:38 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Stopped] -- C:\Program Files\Apache Group\Apache2\bin\Apache.exe -- (Apache2)
SRV - [2004/08/04 00:56:58 | 000,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2004/06/20 20:45:28 | 000,630,854 | ---- | M] (UltraVNC) [Auto | Running] -- C:\Program Files\UltraVNC\winvnc.exe -- (winvnc)
SRV - [2002/09/20 19:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
SRV - [2002/07/26 09:42:40 | 000,376,832 | ---- | M] () [Auto | Running] -- C:\Program Files\ILC\MaxView\Broker\SNMP\snmpdm.exe -- (snmpdm)
SRV - [2002/07/26 09:42:40 | 000,073,728 | ---- | M] () [Auto | Running] -- C:\Program Files\ILC\MaxView\Broker\SNMP\msnsaagt.exe -- (msnsa)
SRV - [1999/03/30 19:38:18 | 000,043,280 | R--- | M] () [Auto | Running] -- C:\WINDOWS\system32\rkillsrv.exe -- (Remote Kill Server)
SRV - [1998/07/24 16:38:52 | 000,018,192 | R--- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rcmdsvc.exe -- (Remote Command Server)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hp22552173873...in/reportgen.pl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2008/08/08 10:48:46 | 000,003,570 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 172.27.185.220 SESIMBRA-DTA
O1 - Hosts: 172.27.185.224 SESIMBRA-DTABU
O1 - Hosts: 172.27.185.226 SESIMBRA-DTB
O1 - Hosts: 172.27.185.41 SESIMBRA_S1
O1 - Hosts: 172.27.185.131 SESIMBRA-ETHERTRAK1
O1 - Hosts: 172.27.185.132 SESIMBRA-ETHERTRAK2
O1 - Hosts: 172.27.184.220 CARCAVELOS-DT
O1 - Hosts: 172.27.184.224 CARCAVELOS-DTB
O1 - Hosts: 172.27.184.41 CARCAVELOS_S1
O1 - Hosts: 172.27.184.131 CARCAVELOS-ETHERTRAK1
O1 - Hosts: 172.27.184.132 CARCAVELOS-ETHERTRAK2
O1 - Hosts: 172.27.155.220 PONTADELGADASMS
O1 - Hosts: 172.27.155.225 PDELGADASMS-BU
O1 - Hosts: 172.27.155.224 PONTADELGADA-NB
O1 - Hosts: 172.27.155.131 PONTADELGADASMS-ETHERTRAK1
O1 - Hosts: 172.27.155.132 PONTADELGADASMS-ETHERTRAK2
O1 - Hosts: 172.27.164.220 FUNCHAL-DT
O1 - Hosts: 172.27.164.131 FUNCHAL-ETHERTRAK1
O1 - Hosts: 172.27.164.132 FUNCHAL-ETHERTRAK2
O1 - Hosts: 172.27.175.222 TESTES
O1 - Hosts: 172.27.175.221 MAC-GENERAL
O1 - Hosts: 172.27.175.225 SINTRA1-SRV2
O1 - Hosts: 172.27.175.231 SINTRA-SRV-BU
O1 - Hosts: 172.27.175.232 SINTRA-LOGGER
O1 - Hosts: 99 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ApacheTomcatMonitor] C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe (Apache Software Foundation)
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\SAV\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe (Apache Software Foundation)
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll (Sun Microsystems, Inc.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/14 07:21:26 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2010/04/12 20:27:46 | 000,000,000 | ---D | M] - E:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/19 10:30:05 | 000,000,000 | ---D | C] -- C:\.tonbeller
[2010/04/19 10:26:39 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/14 10:10:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mac\My Documents\OTLlogs
[2010/04/14 09:58:12 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\mac\Desktop\OTL.exe
[2010/04/14 07:21:24 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/04/13 15:10:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2010/04/13 15:10:07 | 000,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2004/11/21 02:29:18 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/11/21 02:29:18 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/11/21 02:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/11/21 02:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/04/19 10:33:14 | 000,444,728 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/19 10:33:14 | 000,384,660 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/19 10:33:14 | 000,053,734 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/19 10:31:46 | 002,359,296 | -H-- | M] () -- C:\Documents and Settings\mac\NTUSER.DAT
[2010/04/19 10:28:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/19 10:28:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/19 10:28:38 | 527,962,112 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/19 10:27:52 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\mac\ntuser.ini
[2010/04/19 07:12:10 | 000,001,174 | -H-- | M] () -- C:\Documents and Settings\mac\My Documents\Default.rdp
[2010/04/19 01:00:04 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\MVCleandb.job
[2010/04/18 23:00:02 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\MVSpace.job
[2010/04/18 22:00:12 | 000,000,360 | ---- | M] () -- C:\WINDOWS\tasks\MVArchiver.job
[2010/04/14 07:47:36 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\mac\Desktop\Logger-SINTRA.url
[2010/04/13 15:10:10 | 000,000,574 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2010/04/12 17:37:48 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\mac\Desktop\DESINFECTAR AS CANETAS Flash_Disinfector.exe

========== Files Created - No Company Name ==========

[2010/04/14 07:47:34 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\mac\Desktop\Logger-SINTRA.url
[2010/04/13 15:10:48 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\mac\Desktop\DESINFECTAR AS CANETAS Flash_Disinfector.exe
[2010/04/13 15:10:08 | 000,000,574 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2010/03/19 07:52:17 | 000,000,490 | ---- | C] () -- C:\WINDOWS\EventManager.ini
[2010/03/19 07:52:15 | 000,000,136 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/07/08 14:33:24 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\NTEventLogAppender.dll
[2008/09/09 08:18:39 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\mac\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/29 07:36:22 | 000,000,067 | ---- | C] () -- C:\WINDOWS\PPM.INI
[2007/01/29 06:41:37 | 000,000,980 | ---- | C] () -- C:\WINDOWS\CCWTERM.INI
[2005/12/20 02:46:15 | 000,327,680 | ---- | C] () -- C:\Program Files\Common Files\UnPackIt
[2005/08/03 00:37:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/11/21 02:43:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/11/21 02:39:10 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2004/08/04 04:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 04:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2002/05/08 05:12:22 | 000,001,065 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== LOP Check ==========

[2010/04/13 15:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2010/04/19 01:00:04 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\MVCleandb.job
[2010/04/18 23:00:02 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\MVSpace.job
[2010/04/18 22:00:12 | 000,000,360 | ---- | M] () -- C:\WINDOWS\Tasks\MVArchiver.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/02/03 00:36:44 | 000,028,773 | ---- | M] () MD5=2BC34697A3E62DBE977FF29DBDF190A4 -- C:\Perl\site\lib\auto\Win32\EventLog\EventLog.dll
[2004/08/04 04:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004/08/04 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 04:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2002/04/04 01:32:06 | 000,028,416 | R--- | M] (LSI Logic) MD5=F2B7E8416F508368AC6730E2AE1C614F -- C:\WINDOWS\system32\drivers\symmpi.sys

< %systemroot%\*./mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/09 02:20:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/09 02:20:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/09 02:20:08 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%system32\drivers\*.sys /90 >
< End of report >
_____________________________________________________________
I will post here too the 3 files you have talked about
SYSTEM.INI
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
device=vppm.386
device=ppm.386
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
Com1AutoAssign=0
Com2AutoAssign=0
Com3AutoAssign=0
Com4AutoAssign=0
NetHeapSize=40
device=C:\WINDOWS\MICROCOM\ccvxd.386
device=C:\WINDOWS\MICROCOM\mcvcomm.386
device=C:\WINDOWS\MICROCOM\ccrpvxd.386
device=C:\WINDOWS\MICROCOM\ccrdvxd.386

WIN.INI
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[Intel]
CurrentLanguage=enu

BOOT.INI
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
_______________________________________________________________________________________________
There is another computer OTL log, that I would like you could take a look. I saw an advise done by Symantec antivirus installed, that there were two virus deleted recently.
here it is:
OTL logfile created on: 4/19/2010 3:59:48 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Advanced Server Edition Service Pack 4 (Version = 5.0.2195) - Type = NTServer
Internet Explorer (Version = 6.0.2600.0000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 245.00 Mb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): D:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 1.99 Gb Total Space | 0.05 Gb Free Space | 2.38% Space Free | Partition Type: NTFS
Drive D: | 7.33 Gb Total Space | 0.46 Gb Free Space | 6.33% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 2.85 Gb Total Space | 0.89 Gb Free Space | 31.10% Space Free | Partition Type: FAT
Drive G: | 6.69 Gb Total Space | 5.50 Gb Free Space | 82.25% Space Free | Partition Type: NTFS
Drive H: | 3.72 Gb Total Space | 0.58 Gb Free Space | 15.52% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: MAC-GENERAL
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/05/26 22:57:08 | 000,411,108 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\billy.exe
PRC - [2009/05/26 22:54:10 | 000,549,400 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\oldmcdonald.exe
PRC - [2005/04/17 12:31:18 | 001,726,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/04/17 12:30:48 | 000,085,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/04/08 15:52:30 | 000,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/06/03 21:05:08 | 000,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
PRC - [2003/06/20 12:00:00 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/20 12:00:00 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\winmgmt.exe
PRC - [2003/06/20 12:00:00 | 000,185,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows NT\Accessories\wordpad.exe
PRC - [2003/06/20 12:00:00 | 000,090,896 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\dfssvc.exe
PRC - [2003/06/20 12:00:00 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2003/06/20 12:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\tcpsvcs.exe
PRC - [2003/06/20 12:00:00 | 000,014,608 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\inetsrv\inetinfo.exe
PRC - [1998/07/24 16:38:52 | 000,018,192 | R--- | M] (Microsoft Corporation) -- C:\WINNT\system32\rcmdsvc.exe

========== Modules (SafeList) ==========

MOD - [2010/03/26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2003/06/20 12:00:00 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/12/30 14:55:18 | 000,235,344 | ---- | M] (Malwarebytes Corporation) [On_Demand | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/10/20 18:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/04/26 11:09:02 | 000,136,456 | ---- | M] (MG-SOFT Corporation, Strma ulica 8, SI-2000 Maribor, Slovenia. Internet: http://www.mg-soft.com/ E-mail: <[email protected]>) [On_Demand | Stopped] -- C:\Program Files\MG-SOFT\MIB Browser\Bin\MgWTrap3.exe -- (MG-SOFT SNMP Trap Service)
SRV - [2007/02/13 12:53:34 | 000,836,012 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\ILC\MaxView\MComm\mcomm.exe -- (MaxView Communications Server)
SRV - [2005/04/17 12:31:18 | 001,726,656 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/04/17 12:30:42 | 000,124,608 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/04/08 15:54:50 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2003/06/20 12:00:00 | 000,745,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\ntfrs.exe -- (NtFrs)
SRV - [2003/06/20 12:00:00 | 000,326,416 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\dns.exe -- (DNS)
SRV - [2003/06/20 12:00:00 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\winmgmt.exe -- (WinMgmt)
SRV - [2003/06/20 12:00:00 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/20 12:00:00 | 000,145,168 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\wins.exe -- (WINS) Windows Internet Name Service (WINS)
SRV - [2003/06/20 12:00:00 | 000,142,608 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINNT\system32\termsrv.exe -- (TermService)
SRV - [2003/06/20 12:00:00 | 000,119,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/20 12:00:00 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\faxsvc.exe -- (Fax)
SRV - [2003/06/20 12:00:00 | 000,090,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\dfssvc.exe -- (Dfs)
SRV - [2003/06/20 12:00:00 | 000,085,264 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\sfmprint.exe -- (MacPrint)
SRV - [2003/06/20 12:00:00 | 000,083,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\llssrv.exe -- (LicenseService)
SRV - [2003/06/20 12:00:00 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/20 12:00:00 | 000,068,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\sfmsvc.exe -- (MacFile)
SRV - [2003/06/20 12:00:00 | 000,030,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\snmp.exe -- (SNMP)
SRV - [2003/06/20 12:00:00 | 000,025,872 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINNT\system32\ismserv.exe -- (IsmServ)
SRV - [2003/06/20 12:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\tcpsvcs.exe -- (SimpTcp)
SRV - [2003/06/20 12:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\tcpsvcs.exe -- (LPDSVC)
SRV - [2003/06/20 12:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\tcpsvcs.exe -- (DHCPServer)
SRV - [2003/06/20 12:00:00 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/20 12:00:00 | 000,014,608 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2003/06/20 12:00:00 | 000,014,608 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (MSFTPSVC)
SRV - [2003/06/20 12:00:00 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2003/06/20 12:00:00 | 000,007,440 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\ias.dll -- (IAS)
SRV - [1998/07/24 16:38:52 | 000,018,192 | R--- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\rcmdsvc.exe -- (Remote Command Server)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://snt-1_s2/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2009/01/14 13:52:17 | 000,003,578 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 172.27.185.220 SESIMBRA-DTA
O1 - Hosts: 172.27.185.224 SESIMBRA-DTABU
O1 - Hosts: 172.27.185.226 SESIMBRA-DTB
O1 - Hosts: 172.27.185.41 SESIMBRA_S1
O1 - Hosts: 172.27.185.131 SESIMBRA-ETHERTRAK1
O1 - Hosts: 172.27.185.132 SESIMBRA-ETHERTRAK2
O1 - Hosts: 172.27.184.220 CARCAVELOS-DT
O1 - Hosts: 172.27.184.224 CARCAVELOS-DTB
O1 - Hosts: 172.27.184.41 CARCAVELOS_S1
O1 - Hosts: 172.27.184.131 CARCAVELOS-ETHERTRAK1
O1 - Hosts: 172.27.184.132 CARCAVELOS-ETHERTRAK2
O1 - Hosts: 172.27.155.220 PONTADELGADASMS
O1 - Hosts: 172.27.155.225 PDELGADASMS-BU
O1 - Hosts: 172.27.155.224 PONTADELGADA-NB
O1 - Hosts: 172.27.155.131 PONTADELGADASMS-ETHERTRAK1
O1 - Hosts: 172.27.155.132 PONTADELGADASMS-ETHERTRAK2
O1 - Hosts: 172.27.164.220 FUNCHAL-DT
O1 - Hosts: 172.27.164.131 FUNCHAL-ETHERTRAK1
O1 - Hosts: 172.27.164.132 FUNCHAL-ETHERTRAK2
O1 - Hosts: 172.27.175.222 TESTES
O1 - Hosts: 172.27.175.221 MAC-GENERAL
O1 - Hosts: 172.27.175.225 SINTRA1-SRV2
O1 - Hosts: 172.27.175.231 SINTRA-SRV-BU
O1 - Hosts: 172.27.175.232 SINTRA-LOGGER
O1 - Hosts: 101 more lines...
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll (Sonic Solutions)
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StorageGuard] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\rnr20.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINNT\system32\NavLogon.dll - C:\WINNT\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/24 11:33:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/24 11:19:49 | 000,000,046 | ---- | M] () - C:\AUTOEXEC.SOL -- [ NTFS ]
O32 - AutoRun File - [2010/04/12 20:27:46 | 000,000,000 | ---D | M] - H:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINNT\system32\ias.dll (Microsoft Corporation)
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found
SystemRestore not available.

========== Files/Folders - Created Within 14 Days ==========

[2010/04/19 15:58:00 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/04/13 14:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2010/04/13 14:13:05 | 000,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/19 15:59:41 | 001,150,976 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/04/14 13:03:28 | 000,000,636 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HOSTs.lnk
[2010/04/13 14:13:37 | 000,000,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2010/04/12 19:16:18 | 000,002,382 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\OTLexecutar.cfg
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/19 15:57:25 | 000,002,382 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\OTLexecutar.cfg
[2010/04/13 14:13:37 | 000,000,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2010/03/26 18:49:59 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2010/03/24 14:42:20 | 000,000,000 | ---- | C] () -- C:\WINNT\VPC32.INI
[2009/10/20 18:19:30 | 000,053,299 | ---- | C] () -- C:\WINNT\System32\pthreadVC.dll
[2007/09/13 07:55:28 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/03/09 08:43:45 | 000,029,184 | ---- | C] () -- C:\WINNT\System32\kWab.dll
[2005/09/28 16:26:34 | 000,000,244 | ---- | C] () -- C:\WINNT\System32\nirpc.ini
[2005/06/10 10:00:00 | 000,007,140 | ---- | C] () -- C:\WINNT\System32\drivers\cvintdrv.sys
[2004/10/19 15:15:47 | 000,000,073 | ---- | C] () -- C:\WINNT\hdkctnts.ini
[2004/10/19 15:15:47 | 000,000,027 | ---- | C] () -- C:\WINNT\SIOMAP.INI
[2004/10/19 14:37:23 | 000,000,069 | ---- | C] () -- C:\WINNT\sixtrak.ini
[2004/10/19 14:37:19 | 000,417,850 | ---- | C] () -- C:\WINNT\System32\iobase32.dll
[2004/10/19 14:37:19 | 000,167,936 | ---- | C] () -- C:\WINNT\System32\udrcom32.dll
[2004/09/10 13:57:27 | 000,000,138 | ---- | C] () -- C:\WINNT\wininit.ini
[2004/09/02 15:30:21 | 000,007,551 | ---- | C] () -- C:\WINNT\System32\drivers\U3sHlpDr.sys
[2004/07/29 14:31:58 | 000,012,351 | ---- | C] () -- C:\WINNT\System32\i81xcoin.dll
[2004/07/28 15:27:05 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2004/07/28 15:26:00 | 000,002,360 | ---- | C] () -- C:\WINNT\System32\dhcpctrs.ini
[2004/07/28 15:22:51 | 000,007,854 | ---- | C] () -- C:\WINNT\System32\ftpctrs.ini
[2004/07/28 15:22:50 | 000,038,523 | ---- | C] () -- C:\WINNT\System32\w3ctrs.ini
[2004/07/28 15:22:49 | 000,011,355 | ---- | C] () -- C:\WINNT\System32\infoctrs.ini
[2004/07/28 15:22:48 | 000,011,400 | ---- | C] () -- C:\WINNT\System32\dnsperf.ini
[2004/07/28 15:22:47 | 000,014,745 | ---- | C] () -- C:\WINNT\System32\CPSsym.ini
[2004/07/28 15:22:22 | 000,009,584 | ---- | C] () -- C:\WINNT\System32\axperf.ini
[2003/06/20 14:00:06 | 000,000,000 | ---- | C] () -- C:\WINNT\System32\px.ini
[2003/06/20 12:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2003/06/20 12:00:00 | 000,133,752 | ---- | C] () -- C:\WINNT\System32\schema.ini
[2003/06/20 12:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2003/06/20 12:00:00 | 000,022,582 | ---- | C] () -- C:\WINNT\System32\ntdsctrs.ini
[2003/06/20 12:00:00 | 000,020,386 | ---- | C] () -- C:\WINNT\System32\ntfrsrep.ini
[2003/06/20 12:00:00 | 000,017,168 | ---- | C] () -- C:\WINNT\System32\ismsink.dll
[2003/06/20 12:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2003/06/20 12:00:00 | 000,005,597 | ---- | C] () -- C:\WINNT\System32\ntfrscon.ini
[2003/06/20 12:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[2002/05/24 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINNT\System32\lockout.dll
[2002/05/24 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\lockres.dll
[1999/09/25 10:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 10:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== LOP Check ==========

[2008/12/17 09:25:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2005/02/09 11:34:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\VERITAS
[2010/03/23 16:46:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wireshark
[2010/04/13 14:13:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2007/07/11 15:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MG-SOFT
[2010/03/24 08:19:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rising
[2010/03/24 11:33:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2003/06/20 12:00:00 | 000,150,528 | RHS- | M] () -- C:\arcldr.exe
[2003/06/20 12:00:00 | 000,163,840 | RHS- | M] () -- C:\arcsetup.exe

< MD5 for: AGP440.SYS >
[2003/06/20 12:00:00 | 006,553,075 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp4.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2003/06/20 12:00:00 | 006,553,075 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp4.cab:atapi.sys
[2003/06/20 12:00:00 | 000,086,672 | ---- | M] (Microsoft Corporation) MD5=8C718AA8C77041B3285D55A0CE980867 -- C:\WINNT\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2003/06/20 12:00:00 | 000,047,888 | ---- | M] (Microsoft Corporation) MD5=5738D5804F61A1D30D86FA24DEE56E0C -- C:\WINNT\system32\dllcache\eventlog.dll
[2003/06/20 12:00:00 | 000,047,888 | ---- | M] (Microsoft Corporation) MD5=5738D5804F61A1D30D86FA24DEE56E0C -- C:\WINNT\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2003/06/20 12:00:00 | 000,371,984 | ---- | M] (Microsoft Corporation) MD5=11B91C26925F56F577089FF88AA0BEC0 -- C:\WINNT\system32\dllcache\netlogon.dll
[2003/06/20 12:00:00 | 000,371,984 | ---- | M] (Microsoft Corporation) MD5=11B91C26925F56F577089FF88AA0BEC0 -- C:\WINNT\system32\netlogon.dll
[2003/06/20 12:00:00 | 000,013,072 | ---- | M] (Microsoft Corporation) MD5=BB2A715595BCA726A8D185BDECF31072 -- C:\WINNT\system32\NETMON\PARSERS\NETLOGON.DLL

< MD5 for: SCECLI.DLL >
[2003/06/20 12:00:00 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=FF11B32A906D75CD96957B66E318DAD0 -- C:\WINNT\system32\dllcache\scecli.dll
[2003/06/20 12:00:00 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=FF11B32A906D75CD96957B66E318DAD0 -- C:\WINNT\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINNT\system32\*.tmp files -> C:\WINNT\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/07/28 14:56:48 | 000,081,920 | ---- | M] () -- C:\WINNT\system32\config\default.sav
[2004/07/28 14:56:48 | 000,532,480 | ---- | M] () -- C:\WINNT\system32\config\software.sav
[2004/07/28 14:56:48 | 000,360,448 | ---- | M] () -- C:\WINNT\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/03/26 18:50:10 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINNT\system32\drivers\tmcomm.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Microsoft UAM Volume:AFP_AfpInfo
@Alternate Data Stream - 44 bytes -> C:\Microsoft UAM Volume:AFP_DeskTop
@Alternate Data Stream - 4096 bytes -> C:\Microsoft UAM Volume:AFP_IdIndex
< End of report >

#10
RKinner

Posted 19 April 2010 - 04:34 PM

Malware Expert

Expert
24,625 posts

Everything looks clean. Usually I want to see a combofix log to say for sure but I'm not sure it will run on Win2K.

You do have a very old version of Java on the second machine. That version was known for its security holes. Either uninstall it or upgrade it to the latest http://www.java.com/...nload/index.jsp and then uninstall the old version. The first one also has an old version of java. Not as bad as 1.4.2 but still not 6 update 20.

I assume you know what these tasks are doing?

[2010/04/19 01:00:04 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\MVCleandb.job
[2010/04/18 23:00:02 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\MVSpace.job
[2010/04/18 22:00:12 | 000,000,360 | ---- | M] () -- C:\WINDOWS\Tasks\MVArchiver.job

Ron

#11
luisjf

Posted 21 April 2010 - 02:22 PM

New Member

Topic Starter
Member
7 posts

Hello Ron
Thanks again for your help. Those 3 files are related with a "logger program" who should clean database in mysql time to time and archive the contents. That's what that machine does. At the moment this XP/logger is in standby, and the logger in use is on the 2003 machine. The 2003 machine is with Freezed desktop, and we do not know, if it is windows problem, hardware problem or even some kind of virus problem. It doesn't let us execute anything. But we can access it just using the xpcomputer, to retrieve data from mysql database.

In another machine, the weakest of the newtwork, I found two ocurrencies of one "virus or spybot" with the name "eraseme****.exe" . The malwarebytes program, detected it and clean, but the stinger version I have used before, didn't. I dont know why but I have lost the malware log, related with this cleaning process. Do your know this kind of virus?
If you can take a look, I will attach the image picked with printscreen. I don't know another way to show you this. Sorry, I know you don't like attaches. Tomorrow I will try to do an OTL scan, and even a combofix, if I find how to do that.
thanks again
luis fernandes

Attached Files

Virus.bmp 769.05KB 253 downloads

#12
RKinner

Posted 21 April 2010 - 03:13 PM

Malware Expert

Expert
24,625 posts

Eraseme exploits an old vulnerability to spread in your network so you need to make sure you have installed:

http://support.micro...om/?kbid=823980

(I remember when a similar thing went through our company network using this vulnerability. My computer was the only one which wasn't infected because against company policy I was running Zone Alarm's firewall.)

AVG has a tool they claim will get rid of it.
http://www.avg.com/u...al?uti=Vcleaner

It's supposed to be a .exe file infector so it could be a major problem if it spreads. You might try something like Avira's Rescue Disk. I would think it would run on a W2K machine.

http://www.free-av.c...cue_system.html

The .bmp file is no problem just don't like to work on logs that have been attached. On logs that are pasted into a reply if I see soemthing I don't recognize I can right click on it and have google search for it. With attachments I have to copy the text then move back to the browser and do a search. Too many steps.

What the .bmp is saying is that you need a copy of msvp60.dll. Simple way to get it:
http://support.microsoft.com/kb/259403

Ron

#13
luisjf

Posted 23 April 2010 - 01:54 PM

New Member

Topic Starter
Member
7 posts

Hello Ron
Thanks again for your help. I have corrected/installed the microsoft patch, and we will see if the virus returned or not.
Today finally I had the oportunity to do something on our 2003 server, where we have a mysql database, and a program to extract data that has been logged along 24hours. Normally, this computer has a completely freezed desktop. But today, after an alarm about database corrupted, I was forced to do a "bruteforce" shuttdown. After this, the computer returns with a normal behaviour, strangelly. We will see for what time it will be like this! As I told, I have done an OTL scanning, after that, we have updated the symantec antivirus, and done a scan. After detecting 2 virus/spybots, it didn't show names, I have done a new OTL scanning. I past here both, just to be analised. In my UNwizzard view, I could see in mountpoints2 same virus we have seen before, ise32. After scanning with symantec, I think the problem is still there. Can you take a look pse.
thanks again
luis fernandes

OTL logfile created on: 04-23-2010 14:20:26 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 1 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: MM/dd/yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 79,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 95,00% Paging File free
Paging file location(s): c:\pagefile.sys 3070 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9,77 Gb Total Space | 3,02 Gb Free Space | 30,91% Space Free | Partition Type: NTFS
Drive D: | 149,05 Gb Total Space | 144,73 Gb Free Space | 97,11% Space Free | Partition Type: NTFS
Drive E: | 64,75 Gb Total Space | 63,81 Gb Free Space | 98,54% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 3,72 Gb Total Space | 0,57 Gb Free Space | 15,45% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: SINTRA-LOGGER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010-03-26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2008-01-18 00:38:50 | 000,041,041 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\bin\ApacheMonitor.exe
PRC - [2008-01-18 00:37:26 | 000,024,635 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\bin\httpd.exe
PRC - [2007-12-14 23:21:44 | 005,754,880 | ---- | M] () -- D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
PRC - [2006-06-18 14:56:10 | 000,712,704 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe
PRC - [2005-04-17 12:31:18 | 001,726,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005-04-17 12:30:48 | 000,085,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005-04-17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005-04-08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005-04-08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005-04-08 15:52:30 | 000,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005-03-25 12:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005-03-25 12:00:00 | 000,848,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2005-03-25 12:00:00 | 000,388,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2005-03-25 12:00:00 | 000,216,064 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows NT\Accessories\wordpad.exe
PRC - [2004-10-21 03:31:52 | 000,327,680 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe

========== Modules (SafeList) ==========

MOD - [2010-03-26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2005-03-24 18:31:12 | 001,051,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.1830_x-ww_7AE38CCF\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2008-03-17 16:21:14 | 000,204,800 | ---- | M] () [On_Demand | Stopped] -- d:\Program Files\ILC\MaxView\Event Logger\bin\wrapper.exe -- (MaxView Event Logger)
SRV - [2008-01-18 00:37:26 | 000,024,635 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Apache Group\bin\httpd.exe -- (Apache2.2)
SRV - [2007-12-14 23:21:44 | 005,754,880 | ---- | M] () [On_Demand | Running] -- D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [2006-06-18 14:56:10 | 000,712,704 | ---- | M] (UltraVNC) [Auto | Running] -- C:\Program Files\UltraVNC\WinVNC.exe -- (winvnc)
SRV - [2005-04-17 12:31:18 | 001,726,656 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005-04-17 12:30:42 | 000,124,608 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005-04-17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005-04-08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005-04-08 15:54:50 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005-04-08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005-03-30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2005-03-25 12:00:00 | 000,791,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2005-03-25 12:00:00 | 000,164,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2005-03-25 12:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2005-03-25 12:00:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2005-03-25 12:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2005-03-25 12:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2005-03-25 12:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2005-03-25 12:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sintra-logger...in/reportgen.pl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2005-03-25 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HPWPTOOLBOX] C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = C:\Program Files\Apache Group\bin\ApacheMonitor.exe (Apache Software Foundation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll (Sun Microsystems, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_05)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-8605875184-4071681701-195800417-4340\wmiprvse.exe) - C:\RECYCLER\S-1-5-21-8605875184-4071681701-195800417-4340\wmiprvse.exe File not found
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-01-07 15:21:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010-04-12 20:27:46 | 000,000,000 | ---D | M] - H:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{1790cd4b-6c76-11de-b7be-00096b7fb235}\Shell\AutoRun\command - "" = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1790cd4b-6c76-11de-b7be-00096b7fb235}\Shell\open\command - "" = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1790ce51-6c76-11de-b7be-00096b7fb235}\Shell\AutoRun\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1790ce51-6c76-11de-b7be-00096b7fb235}\Shell\open\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1c5bb8d1-c31b-11de-9776-00096b7fb235}\Shell\AutoRun\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1c5bb8d1-c31b-11de-9776-00096b7fb235}\Shell\open\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1c5bb922-c31b-11de-9776-00096b7fb235}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1c5bb922-c31b-11de-9776-00096b7fb235}\Shell\default\command - "" = p.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2009-01-07 15:01:15 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
SystemRestore not available.

========== Files/Folders - Created Within 14 Days ==========

[2010-04-23 14:18:20 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010-04-23 14:16:49 | 000,000,000 | ---D | C] -- C:\antivirus
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010-04-23 13:55:29 | 000,416,044 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-04-23 13:55:29 | 000,366,272 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-04-23 13:55:29 | 000,044,504 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-04-23 13:51:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-04-23 13:51:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-04-23 13:49:29 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010-04-23 13:49:19 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010-04-23 13:49:16 | 002,531,622 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010-04-23 13:25:50 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-03-26 11:03:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009-10-29 10:58:01 | 000,000,680 | R--- | C] () -- C:\WINDOWS\hpw2800k.ini
[2009-10-29 10:56:56 | 000,018,704 | ---- | C] () -- C:\WINDOWS\hpbj2800.ini
[2009-10-29 10:56:35 | 000,005,364 | ---- | C] () -- C:\WINDOWS\mariner.ini
[2009-04-20 14:56:12 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\NTEventLogAppender.dll
[2005-03-25 12:00:00 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2005-03-25 12:00:00 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2005-03-25 12:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2005-03-25 12:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2005-03-25 12:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2005-03-25 12:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2005-03-25 12:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini

========== LOP Check ==========

[2010-03-14 22:00:57 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\MVArchiver.job
[2010-03-15 01:01:26 | 000,000,378 | ---- | M] () -- C:\WINDOWS\Tasks\MVCleandb.job
[2010-03-14 23:00:00 | 000,000,366 | ---- | M] () -- C:\WINDOWS\Tasks\MVSpace.job
[2010-04-23 13:49:22 | 000,032,534 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

========== Purity Check ==========

========== Custom Scans ==========

< >

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2005-03-25 12:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:AGP440.sys
[2005-03-24 17:55:28 | 000,044,032 | ---- | M] (Microsoft Corporation) MD5=5C65E1A7AF122381371A1E9C5B6DA674 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2005-03-25 12:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005-03-25 12:00:00 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004-02-03 00:36:44 | 000,028,773 | ---- | M] () MD5=2BC34697A3E62DBE977FF29DBDF190A4 -- C:\Perl\site\lib\auto\Win32\EventLog\EventLog.dll
[2005-03-25 12:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) MD5=782A70845E7A2FBD347161671BDE60A9 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2005-03-25 12:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) MD5=782A70845E7A2FBD347161671BDE60A9 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2005-03-25 12:00:00 | 000,419,328 | ---- | M] (Microsoft Corporation) MD5=9DA343027F3B72029AB499D3F7FFACAA -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2005-03-25 12:00:00 | 000,419,328 | ---- | M] (Microsoft Corporation) MD5=9DA343027F3B72029AB499D3F7FFACAA -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2005-03-25 12:00:00 | 000,190,976 | ---- | M] (Microsoft Corporation) MD5=71FB876580530E7B0429312A8BCE5E04 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2005-03-25 12:00:00 | 000,190,976 | ---- | M] (Microsoft Corporation) MD5=71FB876580530E7B0429312A8BCE5E04 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2005-03-25 12:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009-01-07 15:03:32 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009-01-07 15:03:32 | 000,741,376 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009-01-07 15:03:32 | 000,487,424 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

< >
< End of report >
___________________________________________________________________________
OTL done after symantec scan
OTL logfile created on: 04-23-2010 15:24:10 - Run 2
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 1 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: MM/dd/yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 76,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): c:\pagefile.sys 3070 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9,77 Gb Total Space | 2,67 Gb Free Space | 27,33% Space Free | Partition Type: NTFS
Drive D: | 149,05 Gb Total Space | 144,54 Gb Free Space | 96,98% Space Free | Partition Type: NTFS
Drive E: | 64,75 Gb Total Space | 63,81 Gb Free Space | 98,54% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 3,78 Gb Total Space | 2,23 Gb Free Space | 58,95% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: SINTRA-LOGGER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010-03-26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009-03-22 14:17:10 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009-03-22 14:17:08 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009-03-22 14:17:06 | 001,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe
PRC - [2009-03-22 14:17:06 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2009-03-22 14:17:04 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2008-03-17 16:21:14 | 000,204,800 | ---- | M] () -- d:\Program Files\ILC\MaxView\Event Logger\bin\wrapper.exe
PRC - [2008-01-18 00:38:50 | 000,041,041 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\bin\ApacheMonitor.exe
PRC - [2008-01-18 00:37:26 | 000,024,635 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Apache Group\bin\httpd.exe
PRC - [2007-12-14 23:21:44 | 005,754,880 | ---- | M] () -- D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
PRC - [2006-06-18 14:56:10 | 000,712,704 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe
PRC - [2005-08-26 15:55:46 | 000,049,248 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_05\bin\java.exe
PRC - [2005-03-25 12:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005-03-25 12:00:00 | 000,848,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2005-03-25 12:00:00 | 000,388,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2005-03-25 12:00:00 | 000,216,064 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows NT\Accessories\wordpad.exe
PRC - [2004-10-21 03:31:52 | 000,327,680 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe

========== Modules (SafeList) ==========

MOD - [2010-03-26 23:45:38 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2005-03-24 18:31:12 | 001,051,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.1830_x-ww_7AE38CCF\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009-03-22 14:17:10 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009-03-22 14:17:10 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009-03-22 14:17:06 | 001,795,400 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2009-03-22 14:17:06 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2009-03-22 14:17:04 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008-06-30 16:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008-03-17 16:21:14 | 000,204,800 | ---- | M] () [On_Demand | Running] -- d:\Program Files\ILC\MaxView\Event Logger\bin\wrapper.exe -- (MaxView Event Logger)
SRV - [2008-01-18 00:37:26 | 000,024,635 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Apache Group\bin\httpd.exe -- (Apache2.2)
SRV - [2007-12-14 23:21:44 | 005,754,880 | ---- | M] () [On_Demand | Running] -- D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [2006-06-18 14:56:10 | 000,712,704 | ---- | M] (UltraVNC) [Auto | Running] -- C:\Program Files\UltraVNC\WinVNC.exe -- (winvnc)
SRV - [2005-03-25 12:00:00 | 000,791,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2005-03-25 12:00:00 | 000,164,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2005-03-25 12:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2005-03-25 12:00:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2005-03-25 12:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2005-03-25 12:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2005-03-25 12:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2005-03-25 12:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sintra-logger...in/reportgen.pl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2005-03-25 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HPWPTOOLBOX] C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = C:\Program Files\Apache Group\bin\ApacheMonitor.exe (Apache Software Foundation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll (Sun Microsystems, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_05)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-8605875184-4071681701-195800417-4340\wmiprvse.exe) - C:\RECYCLER\S-1-5-21-8605875184-4071681701-195800417-4340\wmiprvse.exe File not found
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-01-07 15:21:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010-04-14 07:21:26 | 000,000,000 | ---D | M] - H:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{1790cd4b-6c76-11de-b7be-00096b7fb235}\Shell\AutoRun\command - "" = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008-04-15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{1790cd4b-6c76-11de-b7be-00096b7fb235}\Shell\open\command - "" = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008-04-15 09:04:22 | 000,013,824 | RHS- | M] ()
O33 - MountPoints2\{1790ce51-6c76-11de-b7be-00096b7fb235}\Shell\AutoRun\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1790ce51-6c76-11de-b7be-00096b7fb235}\Shell\open\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1c5bb8d1-c31b-11de-9776-00096b7fb235}\Shell\AutoRun\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1c5bb8d1-c31b-11de-9776-00096b7fb235}\Shell\open\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- File not found
O33 - MountPoints2\{1c5bb922-c31b-11de-9776-00096b7fb235}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1c5bb922-c31b-11de-9776-00096b7fb235}\Shell\default\command - "" = p.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2009-01-07 15:01:15 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
SystemRestore not available.

========== Files/Folders - Created Within 14 Days ==========

[2010-04-23 14:31:22 | 000,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010-04-23 14:31:22 | 000,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010-04-23 14:30:36 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec AntiVirus
[2010-04-23 14:29:42 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010-04-23 14:18:20 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010-04-23 14:16:49 | 000,000,000 | ---D | C] -- C:\antivirus
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009-01-07 15:21:33 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010-04-23 14:31:32 | 000,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010-04-23 14:31:32 | 000,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010-04-23 14:31:32 | 000,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010-04-23 14:31:32 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010-04-23 14:30:38 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010-04-23 13:55:29 | 000,416,044 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-04-23 13:55:29 | 000,366,272 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-04-23 13:55:29 | 000,044,504 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-04-23 13:51:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-04-23 13:51:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-04-23 13:49:19 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010-04-23 13:49:16 | 002,531,622 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010-04-23 13:25:50 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-04-23 14:31:22 | 000,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010-04-23 14:31:22 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010-03-26 11:03:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009-10-29 10:58:01 | 000,000,680 | R--- | C] () -- C:\WINDOWS\hpw2800k.ini
[2009-10-29 10:56:56 | 000,018,704 | ---- | C] () -- C:\WINDOWS\hpbj2800.ini
[2009-10-29 10:56:35 | 000,005,364 | ---- | C] () -- C:\WINDOWS\mariner.ini
[2009-04-20 14:56:12 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\NTEventLogAppender.dll
[2005-03-25 12:00:00 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2005-03-25 12:00:00 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2005-03-25 12:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2005-03-25 12:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2005-03-25 12:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2005-03-25 12:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2005-03-25 12:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini

========== LOP Check ==========

[2010-03-14 22:00:57 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\MVArchiver.job
[2010-03-15 01:01:26 | 000,000,378 | ---- | M] () -- C:\WINDOWS\Tasks\MVCleandb.job
[2010-03-14 23:00:00 | 000,000,366 | ---- | M] () -- C:\WINDOWS\Tasks\MVSpace.job
[2010-04-23 13:49:22 | 000,032,534 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

========== Purity Check ==========

========== Custom Scans ==========

< >

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2005-03-25 12:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:AGP440.sys
[2005-03-24 17:55:28 | 000,044,032 | ---- | M] (Microsoft Corporation) MD5=5C65E1A7AF122381371A1E9C5B6DA674 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2005-03-25 12:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005-03-25 12:00:00 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004-02-03 00:36:44 | 000,028,773 | ---- | M] () MD5=2BC34697A3E62DBE977FF29DBDF190A4 -- C:\Perl\site\lib\auto\Win32\EventLog\EventLog.dll
[2005-03-25 12:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) MD5=782A70845E7A2FBD347161671BDE60A9 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2005-03-25 12:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) MD5=782A70845E7A2FBD347161671BDE60A9 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2005-03-25 12:00:00 | 000,419,328 | ---- | M] (Microsoft Corporation) MD5=9DA343027F3B72029AB499D3F7FFACAA -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2005-03-25 12:00:00 | 000,419,328 | ---- | M] (Microsoft Corporation) MD5=9DA343027F3B72029AB499D3F7FFACAA -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2005-03-25 12:00:00 | 000,190,976 | ---- | M] (Microsoft Corporation) MD5=71FB876580530E7B0429312A8BCE5E04 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2005-03-25 12:00:00 | 000,190,976 | ---- | M] (Microsoft Corporation) MD5=71FB876580530E7B0429312A8BCE5E04 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2005-03-25 12:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009-03-22 14:17:12 | 000,049,480 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\FwsVpn.dll
[2009-03-22 14:17:12 | 000,107,848 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\SymVPN.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009-01-07 15:03:32 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009-01-07 15:03:32 | 000,741,376 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009-01-07 15:03:32 | 000,487,424 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010-04-23 14:31:32 | 000,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS

< >
< End of report >
EXTRAS extracted
____________________
OTL Extras logfile created on: 04-23-2010 14:20:26 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 1 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: MM/dd/yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 79,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 95,00% Paging File free
Paging file location(s): c:\pagefile.sys 3070 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9,77 Gb Total Space | 3,02 Gb Free Space | 30,91% Space Free | Partition Type: NTFS
Drive D: | 149,05 Gb Total Space | 144,73 Gb Free Space | 97,11% Space Free | Partition Type: NTFS
Drive E: | 64,75 Gb Total Space | 63,81 Gb Free Space | 98,54% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 3,72 Gb Total Space | 0,57 Gb Free Space | 15,45% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: SINTRA-LOGGER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09C32A3E-CE8E-461F-A2E6-AE798827EB2E}" = ActivePerl 5.8.3 Build 809
"{0B55E898-73A1-46CB-9B5B-20F22C246A41}" = MaxView
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{4C136A31-7338-45CD-8B1E-09627C0B9BF0}" = HP Business Inkjet 2800
"{5A633ED0-E5D7-4D65-AB8D-53ED43510284}" = Symantec AntiVirus
"{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}" = Apache HTTP Server 2.2.8
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{A2A54B2F-103C-4032-8A07-0BE95BD4FC3E}" = MySQL Server 5.0
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.2
"{AC76BA86-7AD7-1046-7B44-A00000000001}" = Adobe Reader 6.0.1 - Português
"{DF43E090-CB8D-4483-A69C-E264208E3517}" = MaxView
"{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" = MaxView
"hp business inkjet 2800 series" = HP Business Inkjet 2800 series
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Universal Extractor_is1" = Universal Extractor 1.4.2
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 04-23-2010 9:23:39 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 9:23:39 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 9:23:48 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 9:23:48 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 9:23:51 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 9:23:51 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 9:23:52 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 9:23:52 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 10:00:46 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

Error - 04-23-2010 10:00:46 | Computer Name = SINTRA-LOGGER | Source = MySQL | ID = 100
Description = D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe: Table '.\mvp_log\status_log'
is marked as crashed and should be repaired For more information, see Help and Support
Center at http://www.mysql.com.

[ System Events ]
Error - 04-13-2010 8:29:39 | Computer Name = SINTRA-LOGGER | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
SINTRA-SRV-BU that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{AB9E6AD3-160D-. The master browser is stopping or an election is being
forced.

Error - 04-13-2010 9:30:17 | Computer Name = SINTRA-LOGGER | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
SINTRA-SRV-BU that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{AB9E6AD3-160D-. The master browser is stopping or an election is being
forced.

Error - 04-23-2010 9:25:42 | Computer Name = SINTRA-LOGGER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 1:23:50 PM on 4/23/2010 was unexpected.

Error - 04-23-2010 9:25:57 | Computer Name = SINTRA-LOGGER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 04-23-2010 9:31:08 | Computer Name = SINTRA-LOGGER | Source = Service Control Manager | ID = 7034
Description = The MaxView Event Logger service terminated unexpectedly. It has
done this 1 time(s).

Error - 04-23-2010 9:34:20 | Computer Name = SINTRA-LOGGER | Source = Service Control Manager | ID = 7034
Description = The MaxView Event Logger service terminated unexpectedly. It has
done this 2 time(s).

Error - 04-23-2010 9:40:57 | Computer Name = SINTRA-LOGGER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 04-23-2010 9:42:57 | Computer Name = SINTRA-LOGGER | Source = Service Control Manager | ID = 7034
Description = The MaxView Event Logger service terminated unexpectedly. It has
done this 3 time(s).

Error - 04-23-2010 9:51:29 | Computer Name = SINTRA-LOGGER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 04-23-2010 9:56:07 | Computer Name = SINTRA-LOGGER | Source = Service Control Manager | ID = 7034
Description = The MaxView Event Logger service terminated unexpectedly. It has
done this 1 time(s).

< End of report >
luis fernandes

#14
RKinner

Posted 23 April 2010 - 03:17 PM

Malware Expert

Expert
24,625 posts

This is a sign of an infection that wasn't completely removed:

O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-8605875184-4071681701-195800417-4340\wmiprvse.exe) - C:\RECYCLER\S-1-5-21-8605875184-4071681701-195800417-4340\wmiprvse.exe File not found

but since the file wasn't found I don't think it is active. You could remove it with regedit. It lives at:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Look for TaskMan and delete it.

O33 - MountPoints2\{1790cd4b-6c76-11de-b7be-00096b7fb235}\Shell\AutoRun\command - "" = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe -- [2008-04-15 09:04:22 | 000,013,824 | RHS- | M] ()

This usb drive in H: still has the bad file. The Autorun.inf file has been removed and replaced with a folder so I think it is not being run.

Could be Norton forgets to check in recycle bins for files. I would manually delete the folder:
H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

There is also a p.exe file hiding somewhere on the c:\ I expect.
O33 - MountPoints2\{1c5bb922-c31b-11de-9776-00096b7fb235}\Shell\default\command - "" = p.exe

The command that didn't work on Win2K may work on your server:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f

**********************************************************************

Start, Run, cmd, OK to bring up a new Command Prompt window. Rightclick and select Paste and the above text should appear. Make sure you got it all and then hit Enter.

Close the Command Prompt window.

That should remove the mountpoints.

The good news is I don't think anything is active right now.

Ron