Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Possible hack

Started by CJPR , Nov 18 2011 04:57 PM

This topic is locked

#1
CJPR

Posted 18 November 2011 - 04:57 PM

Member

Member
11 posts

Hello

I run a windows 2008 server and I just happened to notice that someone was logged into my FTP, unfortunatley they gained access to all of my C drive as I had the folder permissions set like that as I was transferring a lot of files and needed that kind of access (I know, not too smart).

I managed to kick and ban the user and deleted the account in question but not before said person had a nice poke around and possibly uploaded/dowloaded files.

I can post the FTP log so you can see what files the person had access to and what he attempted to upload if that helps. Please let me know.

The thing that has me really worried is the following email notifications that I recieved while this was going on. They are as follows:

Parallels Panel Scheduler notification

Running task: c:\windows\system32\net.exe user admin admin!2010? /add
Started: Fri Nov 18 20:43:47 2011
The task output is attached to the e-mail
Ended with code 2: Fri Nov 18 20:43:47 2011

Running task: c:\windows\system32\net.exe localgroup administrators admin /add
Started: Fri Nov 18 20:44:11 2011
The task output is attached to the e-mail
Ended successfully: Fri Nov 18 20:44:11 2011

Running task: net.exe user admin adMIN.!2011? /add
Started: Fri Nov 18 20:45:32 2011
The task output is attached to the e-mail
Ended with code 2: Fri Nov 18 20:45:33 2011

Running task: c:\windows\system32\net.exe user admin adMIN.!2011? /add
Started: Fri Nov 18 20:45:57 2011
The task output is attached to the e-mail
Ended with code 2: Fri Nov 18 20:45:57 2011

*The text file that came with the notification on the second one as described above contained the following:

The command completed successfully.

That has me very worried.

I have already changed passwords for my plesk admin panel and also all databases.

Here is a copy of the OTL output:

OTL logfile created on: 18/11/2011 22:33:00 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.97 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 54.21% Memory free
7.93 Gb Paging File | 5.93 Gb Available in Paging File | 74.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.76 Gb Total Space | 294.95 Gb Free Space | 63.33% Space Free | Partition Type: NTFS

Computer Name: IS-15487 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/18 22:31:33 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
PRC - [2011/10/23 20:07:58 | 001,044,992 | ---- | M] (FileZilla Project) -- C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe
PRC - [2011/10/23 20:07:34 | 000,630,784 | ---- | M] (FileZilla Project) -- C:\Program Files (x86)\FileZilla Server\FileZilla server.exe
PRC - [2011/10/01 19:50:02 | 001,347,584 | ---- | M] (Emerald Editor Community) -- C:\Program Files (x86)\Emerald Editor Community\Crimson Editor SVN286M\cedt.exe
PRC - [2011/09/27 20:36:00 | 010,758,656 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe
PRC - [2011/06/30 16:56:12 | 000,041,472 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\php-cgi.exe
PRC - [2011/06/22 20:05:12 | 003,533,824 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe
PRC - [2011/06/22 20:04:24 | 000,736,256 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\traymonitor.exe
PRC - [2011/06/22 20:03:30 | 000,808,960 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PleskControlPanel.exe
PRC - [2011/06/22 20:00:26 | 000,727,040 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PopPassD.exe
PRC - [2011/06/22 05:59:26 | 000,339,968 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\dns\bin\named.exe
PRC - [2011/02/24 21:35:42 | 001,857,536 | ---- | M] (MailEnable Pty Ltd) -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin\MEIMAPS.EXE
PRC - [2011/02/12 03:14:14 | 006,107,136 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Databases\MySQL51\bin\mysqld.exe
PRC - [2011/01/06 18:30:48 | 000,049,230 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\php-cgi.exe
PRC - [2010/11/21 03:24:58 | 000,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\inetsrv\w3wp.exe
PRC - [2009/09/10 01:31:44 | 001,360,072 | ---- | M] () -- C:\Program Files (x86)\freeSSHd\FreeSSHDService.exe
PRC - [2008/11/21 14:31:34 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\SHOUTcast\sc_serv.exe
PRC - [2007/03/29 18:28:42 | 000,279,040 | ---- | M] (Doctor Web Ltd.) -- C:\Program Files (x86)\Parallels\Plesk\DrWeb\DrWebCom.exe
PRC - [2006/11/06 16:24:36 | 003,604,480 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\MySQL\bin\mysqld-nt.exe

========== Modules (No Company Name) ==========

MOD - [2011/09/27 20:36:00 | 010,758,656 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe
MOD - [2011/09/20 00:33:48 | 001,069,056 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\libmysql.dll
MOD - [2011/09/20 00:33:44 | 000,540,672 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\aacPlusEnc.drv
MOD - [2011/09/20 00:33:44 | 000,380,928 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\lame_enc.dll
MOD - [2011/09/20 00:33:44 | 000,233,472 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\mp3prodec.drv
MOD - [2011/09/20 00:33:44 | 000,140,288 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\vorbis.dll
MOD - [2011/09/20 00:33:44 | 000,057,344 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\SS_agc.dll
MOD - [2011/09/20 00:33:44 | 000,009,216 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\ogg.dll
MOD - [2011/06/30 17:12:58 | 000,227,840 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\eAccelerator.dll
MOD - [2011/06/30 17:12:50 | 004,439,552 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\php_aps_php.dll
MOD - [2011/04/19 16:10:42 | 000,192,512 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\mysqlserver.dll
MOD - [2011/04/19 16:10:36 | 000,697,344 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\rdbmspp.dll
MOD - [2011/04/06 12:28:00 | 000,075,264 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\runtime.dll
MOD - [2011/03/31 12:14:26 | 002,060,288 | ---- | M] () -- C:\Windows\SysWOW64\libmySQL.dll
MOD - [2011/02/04 07:43:38 | 000,067,584 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\zlib.dll
MOD - [2011/01/06 18:30:54 | 002,076,672 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\libmysql.dll
MOD - [2010/12/10 19:36:44 | 000,984,064 | ---- | M] () -- C:\Windows\SysWOW64\libxml2.dll
MOD - [2010/06/07 08:55:26 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_AdjustablePhaseRotator.dll
MOD - [2009/04/22 23:59:21 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_ImpactClunk.dll
MOD - [2009/04/22 23:59:19 | 000,020,480 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_attenuator_3dB.dll
MOD - [2009/01/22 10:09:42 | 002,887,680 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_breakaway.dll
MOD - [2008/11/21 14:31:34 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\SHOUTcast\sc_serv.exe
MOD - [2008/10/24 20:06:56 | 000,696,320 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\isapi\isapirewrite4.dll
MOD - [2007/07/04 20:44:00 | 000,450,560 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\ext\ioncube_loader_win_5.2.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/01/26 11:38:11 | 000,350,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV:64bit: - [2010/11/21 03:24:30 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV:64bit: - [2009/07/14 01:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2009/07/14 01:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 01:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2009/07/14 01:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/14 01:39:56 | 000,010,752 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\inetsrv\WMSvc.exe -- (WMSVC)
SRV:64bit: - [2009/07/14 01:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV:64bit: - [2009/04/21 14:16:48 | 000,017,960 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\sysdown.exe -- (sysdown)
SRV - [2011/10/23 20:07:34 | 000,630,784 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2011/06/30 17:15:04 | 000,008,192 | ---- | M] (Parallels, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Parallels\Plesk\Admin\bin\Parallels.MonitorSrv.exe -- (ParallelsHealthMonitor)
SRV - [2011/06/30 17:15:04 | 000,007,168 | ---- | M] (Parallels, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Parallels\Plesk\Admin\bin\Parallels.AlarmSrv.exe -- (ParallelsHealthNotifier)
SRV - [2011/06/22 20:05:12 | 003,533,824 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe -- (plesksrv)
SRV - [2011/06/22 20:03:30 | 000,808,960 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PleskControlPanel.exe -- (PleskControlPanel)
SRV - [2011/06/22 20:00:26 | 000,727,040 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PopPassD.exe -- (PopPassD)
SRV - [2011/06/22 05:59:26 | 000,339,968 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\dns\bin\named.exe -- (named)
SRV - [2011/02/24 21:59:26 | 000,131,584 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MELSC.exe -- (MELCS)
SRV - [2011/02/24 21:58:54 | 000,140,288 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEMTA.exe -- (MEMTAS)
SRV - [2011/02/24 21:58:08 | 000,307,200 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEPOPS.exe -- (MEPOPS)
SRV - [2011/02/24 21:57:28 | 000,565,760 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEPOC.exe -- (MEPOCS)
SRV - [2011/02/24 21:55:52 | 000,683,008 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MESMTPC.exe -- (MESMTPCS)
SRV - [2011/02/24 21:35:42 | 001,857,536 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin\MEIMAPS.exe -- (MEIMAPS)
SRV - [2011/02/12 03:14:14 | 006,107,136 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Databases\MySQL51\bin\mysqld.exe -- (MySQL)
SRV - [2010/11/21 03:24:58 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/21 03:24:58 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/21 03:24:58 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/10 01:31:44 | 001,360,072 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\freeSSHd\FreeSSHDService.exe -- (FreeSSHDService)
SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/03/29 18:28:42 | 000,279,040 | ---- | M] (Doctor Web Ltd.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\DrWeb\DrWebCom.exe -- (DrWebCom)
SRV - [2006/11/06 16:24:36 | 003,604,480 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\MySQL\bin\mysqld-nt.exe -- (PleskSQLServer)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/03/11 06:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 06:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/21 03:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 03:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:64bit: - [2010/11/21 03:24:00 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2010/11/21 03:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 03:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/21 03:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/07/08 22:07:10 | 000,303,280 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\e1q62x64.sys -- (e1qexpress) Intel®
DRV:64bit: - [2010/02/22 19:02:18 | 000,156,776 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpCISSs2.sys -- (HpCISSs2)
DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 01:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2009/06/10 20:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma) Intel®
DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/04/21 14:16:48 | 000,099,368 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hpqmgmt.sys -- (hpqmgmt)
DRV:64bit: - [2009/03/24 18:31:40 | 000,102,400 | ---- | M] (AMCC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\3wareDrv.sys -- (3wareDrv)
DRV:64bit: - [2008/09/11 01:14:10 | 000,390,000 | ---- | M] (XGI Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xg20grp.sys -- (XGIGraphics_XG2X)
DRV:64bit: - [2008/04/08 17:27:56 | 000,082,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\3wDrv100.sys -- (3wDrv100)
DRV:64bit: - [2005/03/28 10:30:00 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2010/11/21 03:25:11 | 000,115,712 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2009/06/10 21:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{56A46241-208A-469F-9B54-C78FE34E8052}: NameServer = 87.117.198.200,87.117.237.100,87.117.196.200
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/18 22:31:33 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
[2011/11/18 22:04:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2011/11/18 22:04:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/11/17 04:23:18 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Auslogics
[2011/11/17 04:23:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/11/17 04:23:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Auslogics
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Portable Devices
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Photo Viewer
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Photo Viewer
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Player
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Media Player
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Defender
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\twain_32
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\LogFiles
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\CSC
[2011/11/15 02:26:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\freeSSHd
[2011/11/15 02:26:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\freeSSHd
[2011/11/14 15:00:20 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
[2011/11/14 02:41:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmarterTools Inc
[2011/11/14 02:41:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SmarterTools
[2011/11/10 23:36:03 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\default website placeholder
[2011/11/09 12:06:15 | 000,000,000 | ---D | C] -- C:\sam-song.info
[2011/11/08 20:48:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\SpacialAudio
[2011/11/08 20:45:24 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SAM Broadcaster
[2011/11/08 20:45:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpacialAudio
[2011/11/06 00:25:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\MySQL
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\WinRAR
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/11/06 00:21:42 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2011/11/06 00:13:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\zag
[2011/11/06 00:13:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\twitter pal
[2011/11/06 00:13:12 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\pal
[2011/11/06 00:11:46 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Judas Priest - Discography
[2011/11/05 17:40:31 | 000,000,000 | ---D | C] -- C:\MUSIC
[2011/11/05 17:26:23 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Emerald Editor Community
[2011/11/05 17:21:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla Server
[2011/11/05 17:21:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileZilla Server
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SHOUTcast DNAS
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SHOUTcast DNAS
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SHOUTcast
[2011/11/05 17:20:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crimson Editor SVN286M
[2011/11/05 17:20:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crimson Editor SVN286M
[2011/11/05 17:20:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emerald Editor Community
[2011/11/05 00:55:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActivePerl 5.10.1 Build 1007
[2011/11/05 00:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/11/05 00:55:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server
[2011/11/05 00:55:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActiveState ActivePython 2.6 (32-bit)
[2011/11/05 00:54:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parallels
[2011/11/05 00:54:49 | 000,000,000 | ---D | C] -- C:\Recycler
[2011/11/05 00:53:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mail Enable
[2011/11/05 00:53:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mail Enable
[2011/11/05 00:50:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IIS
[2011/11/05 00:47:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Parallels
[2011/11/05 00:47:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySQL
[2011/11/05 00:44:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Parallels
[2011/11/05 00:44:04 | 000,000,000 | ---D | C] -- C:\b7eb390a4ea24c84da5e7424141f38f6
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Reference Assemblies
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\inetpub
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\BestPractices
[2011/11/05 00:27:23 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution

========== Files - Modified Within 30 Days ==========

[2011/11/18 22:31:33 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
[2011/11/18 22:04:14 | 000,003,011 | ---- | M] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/11/18 21:21:27 | 000,728,088 | ---- | M] () -- C:\Users\Administrator\AppData\Local\census.cache
[2011/11/18 21:21:21 | 000,078,877 | ---- | M] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2011/11/18 21:13:37 | 000,000,036 | ---- | M] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2011/11/18 20:46:17 | 000,001,069 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/18 20:46:17 | 000,001,065 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2011/11/18 20:46:16 | 000,001,061 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/18 20:46:16 | 000,001,005 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/18 19:40:30 | 000,000,556 | ---- | M] () -- C:\Windows\cedt.INI
[2011/11/18 00:52:02 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\Backup of vital Plesk settings.job
[2011/11/17 22:50:18 | 000,007,636 | ---- | M] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2011/11/17 16:30:48 | 000,027,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 16:30:48 | 000,027,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 04:23:15 | 000,001,246 | ---- | M] () -- C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
[2011/11/17 02:18:29 | 000,796,548 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/11/17 02:18:29 | 000,674,160 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/11/17 02:18:29 | 000,133,416 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/11/17 02:12:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/17 02:09:05 | 000,267,296 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/11/15 03:01:15 | 000,000,668 | ---- | M] () -- C:\Users\Administrator\Desktop\privatekey.dsa
[2011/11/15 03:01:08 | 000,000,887 | ---- | M] () -- C:\Users\Administrator\Desktop\privatekey.rsa
[2011/11/15 02:26:49 | 000,000,978 | ---- | M] () -- C:\Users\Administrator\Desktop\FreeSSHd.lnk
[2011/11/09 00:08:54 | 000,001,023 | ---- | M] () -- C:\Users\Administrator\Desktop\64k.lnk
[2011/11/09 00:08:01 | 000,001,023 | ---- | M] () -- C:\Users\Administrator\Desktop\32k.lnk
[2011/11/08 21:07:28 | 000,002,052 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SAM Broadcaster.lnk
[2011/11/08 21:07:28 | 000,002,028 | ---- | M] () -- C:\Users\Administrator\Desktop\SAM Broadcaster.lnk
[2011/11/06 00:11:46 | 000,001,706 | ---- | M] () -- C:\Users\Administrator\Desktop\RequestHandler.pal
[2011/11/06 00:11:45 | 000,006,026 | ---- | M] () -- C:\Users\Administrator\Desktop\web20-facebook.pal
[2011/11/06 00:11:45 | 000,005,442 | ---- | M] () -- C:\Users\Administrator\Desktop\web20-twitter.pal
[2011/11/06 00:11:45 | 000,003,479 | ---- | M] () -- C:\Users\Administrator\Desktop\dedications.pal
[2011/11/06 00:11:45 | 000,003,371 | ---- | M] () -- C:\Users\Administrator\Desktop\NowPlayingShow.pal
[2011/11/06 00:11:45 | 000,002,895 | ---- | M] () -- C:\Users\Administrator\Desktop\newdedications.pal
[2011/11/05 17:30:17 | 000,000,933 | ---- | M] () -- C:\Users\Administrator\Desktop\sc_serv - Shortcut.lnk
[2011/11/05 17:20:42 | 000,001,324 | ---- | M] () -- C:\Users\Administrator\Desktop\Crimson Editor SVN286M.lnk
[2011/11/05 16:14:05 | 000,000,316 | ---- | M] () -- C:\Windows\tasks\Automatic update of license keys.job
[2011/11/05 01:17:10 | 000,000,286 | ---- | M] () -- C:\Windows\tasks\Automatic update of license keys on server start.job
[2011/11/05 00:54:54 | 000,001,279 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PP Services Monitor.lnk
[2011/11/05 00:54:54 | 000,000,163 | ---- | M] () -- C:\Users\Public\Desktop\Parallels Panel 10.3.url
[2011/11/05 00:51:15 | 000,781,952 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/11/05 00:51:06 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\.rnd
[2011/11/05 00:49:15 | 000,000,190 | ---- | M] () -- C:\Windows\ODBCINST.INI

========== Files Created - No Company Name ==========

[2011/11/18 22:04:14 | 000,003,011 | ---- | C] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/11/18 21:21:27 | 000,728,088 | ---- | C] () -- C:\Users\Administrator\AppData\Local\census.cache
[2011/11/18 21:21:21 | 000,078,877 | ---- | C] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2011/11/18 21:13:37 | 000,000,036 | ---- | C] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2011/11/17 04:23:15 | 000,001,246 | ---- | C] () -- C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
[2011/11/17 02:11:04 | 000,001,547 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/11/15 03:01:14 | 000,000,668 | ---- | C] () -- C:\Users\Administrator\Desktop\privatekey.dsa
[2011/11/15 02:55:34 | 000,000,887 | ---- | C] () -- C:\Users\Administrator\Desktop\privatekey.rsa
[2011/11/15 02:26:49 | 000,000,978 | ---- | C] () -- C:\Users\Administrator\Desktop\FreeSSHd.lnk
[2011/11/14 12:20:50 | 000,007,636 | ---- | C] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2011/11/09 00:08:24 | 000,001,023 | ---- | C] () -- C:\Users\Administrator\Desktop\64k.lnk
[2011/11/09 00:06:51 | 000,001,023 | ---- | C] () -- C:\Users\Administrator\Desktop\32k.lnk
[2011/11/08 20:45:24 | 000,002,052 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SAM Broadcaster.lnk
[2011/11/08 20:45:24 | 000,002,028 | ---- | C] () -- C:\Users\Administrator\Desktop\SAM Broadcaster.lnk
[2011/11/06 00:11:45 | 000,006,026 | ---- | C] () -- C:\Users\Administrator\Desktop\web20-facebook.pal
[2011/11/06 00:11:45 | 000,005,442 | ---- | C] () -- C:\Users\Administrator\Desktop\web20-twitter.pal
[2011/11/06 00:11:45 | 000,003,479 | ---- | C] () -- C:\Users\Administrator\Desktop\dedications.pal
[2011/11/06 00:11:45 | 000,003,371 | ---- | C] () -- C:\Users\Administrator\Desktop\NowPlayingShow.pal
[2011/11/06 00:11:45 | 000,002,895 | ---- | C] () -- C:\Users\Administrator\Desktop\newdedications.pal
[2011/11/06 00:11:45 | 000,001,706 | ---- | C] () -- C:\Users\Administrator\Desktop\RequestHandler.pal
[2011/11/05 17:33:19 | 000,000,556 | ---- | C] () -- C:\Windows\cedt.INI
[2011/11/05 17:30:17 | 000,000,933 | ---- | C] () -- C:\Users\Administrator\Desktop\sc_serv - Shortcut.lnk
[2011/11/05 17:20:42 | 000,001,324 | ---- | C] () -- C:\Users\Administrator\Desktop\Crimson Editor SVN286M.lnk
[2011/11/05 00:59:12 | 000,001,005 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/05 00:54:54 | 000,001,279 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PP Services Monitor.lnk
[2011/11/05 00:54:54 | 000,000,163 | ---- | C] () -- C:\Users\Public\Desktop\Parallels Panel 10.3.url
[2011/11/05 00:52:19 | 000,000,286 | ---- | C] () -- C:\Windows\tasks\Automatic update of license keys on server start.job
[2011/11/05 00:52:18 | 000,000,326 | ---- | C] () -- C:\Windows\tasks\Backup of vital Plesk settings.job
[2011/11/05 00:52:18 | 000,000,316 | ---- | C] () -- C:\Windows\tasks\Automatic update of license keys.job
[2011/11/05 00:51:45 | 000,001,069 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/05 00:51:45 | 000,001,065 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2011/11/05 00:51:45 | 000,001,061 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/05 00:51:06 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\.rnd
[2011/11/05 00:49:15 | 000,000,190 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2011/03/31 12:14:26 | 002,060,288 | ---- | C] () -- C:\Windows\SysWow64\libmySQL.dll
[2011/03/08 11:20:48 | 000,781,952 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/12/10 19:36:44 | 000,984,064 | ---- | C] () -- C:\Windows\SysWow64\libxml2.dll
[2010/03/20 14:53:14 | 000,353,280 | ---- | C] () -- C:\Windows\SysWow64\pythoncom26.dll
[2010/03/20 14:53:14 | 000,109,568 | ---- | C] () -- C:\Windows\SysWow64\pywintypes26.dll
[2009/07/14 05:42:10 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/31 16:26:42 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\libcurl.dll
[2008/04/12 00:38:10 | 000,114,688 | ---- | C] () -- C:\Windows\SysWow64\myodbc3i.exe
[2008/04/12 00:38:10 | 000,106,496 | ---- | C] () -- C:\Windows\SysWow64\myodbc3m.exe

========== LOP Check ==========

[2011/11/17 04:23:18 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Auslogics
[2011/11/11 14:31:33 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\MySQL
[2011/11/05 01:17:10 | 000,000,286 | ---- | M] () -- C:\Windows\Tasks\Automatic update of license keys on server start.job
[2011/11/05 16:14:05 | 000,000,316 | ---- | M] () -- C:\Windows\Tasks\Automatic update of license keys.job
[2011/11/18 00:52:02 | 000,000,326 | ---- | M] () -- C:\Windows\Tasks\Backup of vital Plesk settings.job
[2011/11/18 20:46:16 | 000,001,005 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/18 20:46:16 | 000,001,061 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/18 20:46:17 | 000,001,069 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/18 20:46:17 | 000,001,065 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2009/07/14 05:06:36 | 000,024,198 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Do I also need to post the 'extras' text output ?

Please help me limit any more damage.

Thank you for taking the time to read this and I hope someone can guide me in the right direction.

#2
Amlak

Posted 18 November 2011 - 05:57 PM

Member 1K

Member
1,470 posts

Welcome to GTG.

Yeah, please post the contents of the Extras txt file.

#3
CJPR

Posted 18 November 2011 - 05:59 PM

Member

Topic Starter
Member
11 posts

No problem, here it is:

OTL Extras logfile created on: 18/11/2011 22:33:00 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.97 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 54.21% Memory free
7.93 Gb Paging File | 5.93 Gb Available in Paging File | 74.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.76 Gb Total Space | 294.95 Gb Free Space | 63.33% Space Free | Partition Type: NTFS

Computer Name: IS-15487 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{4FFA2088-8317-3B14-93CD-4C699DB37843}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729
"{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{D9473D19-26F1-4B91-BBAC-4089CB41BC48}" = Microsoft SQL Server 2008 Management Objects
"{F4264106-F90E-4076-98CF-1B878DB14513}" = SQL Server System CLR Types
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"WinRAR archiver" = WinRAR 4.10 beta 3 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015CC3CB-A212-4557-9DEA-1EFEEFBDE11F}" = MySQL Server Configurator
"{0C552849-DFEE-4D05-8412-C55551BD9435}" = Horde webmail
"{129B6D57-CAA6-4CAF-AE4C-F2D42458E6AC}" = SPAW Editor
"{1583AC5C-1F05-40F0-8126-1E7A2D8F2FDC}" = Plesk MySQL Server 4.1
"{17020144-C6BB-4BDD-802E-5459BBCB070A}" = AWStats
"{19E548B1-DBC2-4BFC-BA3D-715D83424BB8}" = BIND DNS Server
"{1C997F30-CE19-4221-BC94-989E9A73AD74}" = Parallels Panel Core module
"{32A24916-A53B-4776-BF6A-7E04B9520A0C}" = Perl modules
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{5A5C890E-0E9B-4DFA-865F-23036EAA49D2}" = Parallels Panel module
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{75C19997-DA57-4139-95C8-32C3972ECA97}" = Dr.Web anti-virus
"{770E42E3-1A92-46BC-9905-6F42A9699139}" = Parallels Panel Skins
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{86DE3C8F-9143-44F4-BAB3-9F3E7D152182}" = SpamAssassin
"{87791106-538B-42DB-B3BB-44E6666FFB1C}" = Parallels Panel Backup and Restoration module
"{977B9493-3538-48D8-8BE3-1331F7F015EB}" = PHP5 script engine
"{AF3311C9-50F4-477D-8D2F-20C8C6057DC8}" = Parallels Panel SiteBuilder
"{B0F6AB4A-26D1-4832-AE6D-C3E1093340EC}" = MySQL Server 5.1
"{B3E48353-D9BF-4c66-8331-385070F655BB}" = ActiveState ActivePython 2.6.5.12 (32-bit)
"{B7CB39AA-9FEC-4253-B14C-98BFD310F508}" = Panel upgrade assistant
"{BA0CA192-3A10-4A4B-B20D-219BB20BC3D1}" = PHPMyAdmin
"{C0EED196-57F3-46B7-AC3B-B2DD45B01A43}" = MySQL Connector/ODBC 3.51
"{D2D90AD4-9836-4748-BBBA-5CBD0C499C41}" = Parallels System Health Monitor
"{D76A41DA-AD93-4BFF-A74F-BEFD0797BD23}" = Webalizer
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{F67847AD-4094-4B21-9B0E-2AE6E92BA3D2}" = Parallels Panel Engine
"{F7B9B60F-DBB3-4116-967B-BA93E278331E}" = ActivePerl 5.10.1 Build 1007
"70DBC326-7505-4913-A0C1-C6BD87C1859D_is1" = freeSSHd 1.2.6
"Crimson Editor SVN286M" = Crimson Editor SVN286M
"FileZilla Server" = FileZilla Server
"MailEnable Messaging Services for Microsoft Windows" = MailEnable Messaging Services for Microsoft Windows
"SAM3" = SAM Broadcaster v4
"SCDNAS" = SHOUTcast DNAS (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16/11/2011 22:09:14 | Computer Name = IS-15487 | Source = named | ID = 1
Description =

Error - 16/11/2011 22:09:14 | Computer Name = IS-15487 | Source = named | ID = 1
Description =

Error - 16/11/2011 22:09:14 | Computer Name = IS-15487 | Source = named | ID = 1
Description =

Error - 16/11/2011 22:09:45 | Computer Name = IS-15487 | Source = WinMgmt | ID = 10
Description =

Error - 16/11/2011 22:12:23 | Computer Name = IS-15487 | Source = named | ID = 1
Description =

Error - 16/11/2011 22:12:23 | Computer Name = IS-15487 | Source = named | ID = 1
Description =

Error - 16/11/2011 22:12:23 | Computer Name = IS-15487 | Source = named | ID = 1
Description =

Error - 16/11/2011 22:13:49 | Computer Name = IS-15487 | Source = WinMgmt | ID = 10
Description =

Error - 18/11/2011 17:03:21 | Computer Name = IS-15487 | Source = Application Error | ID = 1000
Description = Faulting application name: w3wp.exe, version: 7.5.7601.17514, time
stamp: 0x4ce7a5f8 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7ba58 Exception code: 0xc0000374 Fault offset: 0x000ce653 Faulting process
id: 0xf9c Faulting application start time: 0x01cca5426bf969c0 Faulting application
path: C:\Windows\SysWOW64\inetsrv\w3wp.exe Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report
Id: beb1e374-1228-11e1-9592-001b2159bbc0

Error - 18/11/2011 18:32:53 | Computer Name = IS-15487 | Source = Application Hang | ID = 1002
Description = The program OTL.com version 3.2.31.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 10d0 Start Time:
01cca641dd87c916 Termination Time: 11 Application Path: C:\Users\Administrator\Desktop\OTL.com

Report
Id: 3e772840-1235-11e1-9592-001b2159bbc0

[ Plesk Events ]
Error - 04/11/2011 20:57:42 | Computer Name = IS-15487 | Source = plesksrv.exe | ID = 1
Description = The system cannot find the file specified. (Error code 2) at RegQueryValueEx
valueName=WEBMAIL_VER at getString(WEBMAIL_VER)(PleskSrvClient::getString line
183) at Update component Horde IMP(VComponenInfo::ComponentUpdateThread::execute
line 129) Execute file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe

Error - 04/11/2011 20:57:42 | Computer Name = IS-15487 | Source = plesksrv.exe | ID = 1
Description = The system cannot find the file specified. (Error code 2) at RegQueryValueEx
valueName=WEBMAIL_VER at getString(WEBMAIL_VER)(PleskSrvClient::getString line
183) at Update component Horde IMP(VComponenInfo::ComponentUpdateThread::execute
line 129) Execute file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe

Error - 04/11/2011 20:58:14 | Computer Name = IS-15487 | Source = plesksrv.exe | ID = 1
Description = The system cannot find the file specified. (Error code 2) at RegQueryValueEx
valueName=WEBMAIL_VER at getString(WEBMAIL_VER)(PleskSrvClient::getString line
183) at Update component Horde IMP(VComponenInfo::ComponentUpdateThread::execute
line 129) Execute file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe

Error - 05/11/2011 11:36:17 | Computer Name = IS-15487 | Source = usermng.exe | ID = 1
Description = The password does not meet the password policy requirements. Check
the minimum password length, password complexity and password history requirements.
(Error code 2245) at NetUserSetInfo(admin) Execute file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\usermng.exe

Error - 05/11/2011 11:39:30 | Computer Name = IS-15487 | Source = usermng.exe | ID = 1
Description = The password does not meet the password policy requirements. Check
the minimum password length, password complexity and password history requirements.
(Error code 2245) at NetUserSetInfo(admin) Execute file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\usermng.exe

Error - 12/11/2011 22:17:21 | Computer Name = IS-15487 | Source = defpackagemng.exe | ID = 1
Description = Unknown error (Error code -1) at Start service MySQL at (service::startStopService
line 998) at execute console command --service-control(vconsoleapp::start line
132) at execute "C:\Program Files (x86)\Parallels\Plesk\/admin/bin/defpackagemng"
--service-control "--service=MySQL" "--action=restart"(vconsoleapp::run line 143)
Execute
file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\defpackagemng.exe

Error - 12/11/2011 22:17:34 | Computer Name = IS-15487 | Source = defpackagemng.exe | ID = 1
Description = Unknown error (Error code -1) at Start service MySQL at (service::startStopService
line 998) at execute console command --service-control(vconsoleapp::start line
132) at execute "C:\Program Files (x86)\Parallels\Plesk\/admin/bin/defpackagemng"
--service-control "--service=MySQL" "--action=start"(vconsoleapp::run line 143)
Execute
file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\defpackagemng.exe

Error - 12/11/2011 22:18:02 | Computer Name = IS-15487 | Source = defpackagemng.exe | ID = 1
Description = Unknown error (Error code -1) at Start service MySQL at (service::startStopService
line 998) at execute console command --service-control(vconsoleapp::start line
132) at execute "C:\Program Files (x86)\Parallels\Plesk\/admin/bin/defpackagemng"
--service-control "--service=MySQL" "--action=start"(vconsoleapp::run line 143)
Execute
file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\defpackagemng.exe

Error - 13/11/2011 20:47:47 | Computer Name = IS-15487 | Source = ftpmng.exe | ID = 1
Description = Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))
In
Microsoft.Web.Administration module Exception type: System.Runtime.InteropServices.COMException

at Microsoft.Web.Administration.Interop.IAppHostElement.get_Collection() at
Microsoft.Web.Administration.ConfigurationElement.GetCollection() at GetArray<struct
Ftp7SessionInfo,struct CFtp7SessionInfo>(ConfigurationElement section, Char* tName)

at CIIS7FtpBase.GetSessions(CIIS7FtpBase* ) at listSessions(FtpServerManager::listSessions
line 607) at execute console command --list-sessions(vconsoleapp::start line
132) at execute "C:\Program Files (x86)\Parallels\Plesk\/admin/bin/ftpmng" --list-sessions(vconsoleapp::run
line 143) Execute file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\ftpmng.exe

Error - 14/11/2011 20:02:48 | Computer Name = IS-15487 | Source = defpackagemng.exe | ID = 1
Description = Unknown error (Error code -1) at Start service MySQL at (service::startStopService
line 998) at execute console command --service-control(vconsoleapp::start line
132) at execute "C:\Program Files (x86)\Parallels\Plesk\/admin/bin/defpackagemng"
--service-control "--service=MySQL" "--action=restart"(vconsoleapp::run line 143)
Execute
file name: C:\Program Files (x86)\Parallels\Plesk\admin\bin\defpackagemng.exe

[ System Events ]
Error - 14/11/2011 20:02:46 | Computer Name = IS-15487 | Source = Service Control Manager | ID = 7034
Description = The MySQL Server service terminated unexpectedly. It has done this
4 time(s).

Error - 14/11/2011 20:04:15 | Computer Name = IS-15487 | Source = Service Control Manager | ID = 7034
Description = The MySQL Server service terminated unexpectedly. It has done this
5 time(s).

Error - 14/11/2011 22:27:07 | Computer Name = IS-15487 | Source = Service Control Manager | ID = 7030
Description = The FreeSSHDService service is marked as an interactive service.
However, the system is configured to not allow interactive services. This service
may not function properly.

Error - 16/11/2011 20:07:42 | Computer Name = IS-15487 | Source = TermDD | ID = 655416
Description =

Error - 16/11/2011 22:08:40 | Computer Name = IS-15487 | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6
Description = Some processor performance power management features have been disabled
due to a known firmware problem. Check with the computer manufacturer for updated
firmware.

Error - 16/11/2011 22:11:54 | Computer Name = IS-15487 | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6
Description = Some processor performance power management features have been disabled
due to a known firmware problem. Check with the computer manufacturer for updated
firmware.

Error - 17/11/2011 20:15:53 | Computer Name = IS-15487 | Source = TermDD | ID = 655416
Description =

Error - 18/11/2011 12:20:55 | Computer Name = IS-15487 | Source = TermDD | ID = 655410
Description =

Error - 18/11/2011 16:16:26 | Computer Name = IS-15487 | Source = TermDD | ID = 655416
Description =

Error - 18/11/2011 16:41:30 | Computer Name = IS-15487 | Source = Schannel | ID = 36887
Description = The following fatal alert was received: 48.

< End of report >

#4
Amlak

Posted 18 November 2011 - 06:55 PM

Member 1K

Member
1,470 posts

Please run a scan with DrWeb and post the contents of the scan log.

Do you have a good firewall software installed, too? I can't see any through the log.

#5
CJPR

Posted 18 November 2011 - 07:06 PM

Member

Topic Starter
Member
11 posts

Firewall is: Windows Firewall Service Pack 1 as reported by Plesk admin panel.

Running DrWeb now

#6
CJPR

Posted 19 November 2011 - 12:54 AM

Member

Topic Starter
Member
11 posts

Sorry, that took a while...

All clear, apart from OTL getting flagged.

OTL.com;C:\Documents and Settings\Administrator\Desktop;Trojan.Siggen3.20406;Incurable.Moved.;
OTL.com;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.Siggen3.20406;;

While that was running I reversed the command that the person put in via command line. "Running task: c:\windows\system32\net.exe localgroup administrators admin /add" Using "net localgroup administrators admin /delete"

Checking my server logs against the FTP logs and I noticed the the person uploaded c99.php attempted to utilise it, then deleted it pretty quickly.

I can supply both logs if needed.

#7
Amlak

Posted 19 November 2011 - 08:38 PM

Member 1K

Member
1,470 posts

Yeah, DrWeb mistakenly thinks OTL is a malicious program, but it's just a false positive.

Can you do the same for the following commands to be deleted?

Running task: c:\windows\system32\net.exe user admin admin!2010? /add

Running task: net.exe user admin adMIN.!2011? /add

Running task: c:\windows\system32\net.exe user admin adMIN.!2011? /add

Please provide the logs you mentioned so I can get a better idea of what we can have you do next.

#8
CJPR

Posted 19 November 2011 - 08:59 PM

Member

Topic Starter
Member
11 posts

PM sent

#9
Amlak

Posted 20 November 2011 - 06:11 PM

Member 1K

Member
1,470 posts

Step 1

Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware here.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, confirm a check mark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Make sure all items are checked and click on Remove Selected.
If asked to restart the computer, please do so immediately.
Post the contents of the resultant log in your next reply. You can access the log in the Logs tab.

Step 2

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

Double-click on the downloaded file to start the program. (If running Vista/7, right click on it and select "Run as administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system, click "No", save the log and post back the results.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program.

Step 3

Run OTL.

Click the Quick Scan button at the top.
Make sure you post the log it produces in your next reply.

#10
CJPR

Posted 20 November 2011 - 06:56 PM

Member

Topic Starter
Member
11 posts

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8202

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

21/11/2011 00:55:14
mbam-log-2011-11-21 (00-55-14).txt

Scan type: Quick scan
Objects scanned: 210947
Time elapsed: 1 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER coming next

Edited by CJPR, 20 November 2011 - 06:57 PM.

#11
CJPR

Posted 20 November 2011 - 07:11 PM

Member

Topic Starter
Member
11 posts

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-21 01:10:17
Windows 6.1.7601 Service Pack 1
Running: 04dgck9p.exe

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9B635CE-16B9-3896-94EE-E74C2FA7A855}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9B635CE-16B9-3896-94EE-E74C2FA7A855}@habnenfggpgnonlf 0x6A 0x61 0x6E 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9B635CE-16B9-3896-94EE-E74C2FA7A855}@ialpgcjcpfejncmimm 0x63 0x61 0x61 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9B635CE-16B9-3896-94EE-E74C2FA7A855}@iapnnibbjhldpnigpa 0x6A 0x61 0x6E 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9B635CE-16B9-3896-94EE-E74C2FA7A855}@dbjfeadkjjlhmbgddjmjpddgmcffceojogelcccb 0x6A 0x62 0x6A 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C9B635CE-16B9-3896-94EE-E74C2FA7A855}@jbjfeadkjjlhmbgddjmjadojifkahllddfdojddcgiheedondgjl 0x6F 0x61 0x66 0x70 ...

---- EOF - GMER 1.0.15 ----

#12
CJPR

Posted 20 November 2011 - 07:26 PM

Member

Topic Starter
Member
11 posts

OTL logfile created on: 21/11/2011 01:21:24 - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.97 Gb Total Physical Memory | 2.27 Gb Available Physical Memory | 57.35% Memory free
7.93 Gb Paging File | 5.59 Gb Available in Paging File | 70.44% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.76 Gb Total Space | 292.52 Gb Free Space | 62.80% Space Free | Partition Type: NTFS

Computer Name: IS-15487 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/21 01:20:35 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
PRC - [2011/10/23 20:07:34 | 000,630,784 | ---- | M] (FileZilla Project) -- C:\Program Files (x86)\FileZilla Server\FileZilla server.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/30 16:56:12 | 000,041,472 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\php-cgi.exe
PRC - [2011/06/22 20:05:12 | 003,533,824 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe
PRC - [2011/06/22 20:04:24 | 000,736,256 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\traymonitor.exe
PRC - [2011/06/22 20:03:30 | 000,808,960 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PleskControlPanel.exe
PRC - [2011/06/22 20:00:26 | 000,727,040 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PopPassD.exe
PRC - [2011/06/22 05:59:26 | 000,339,968 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\dns\bin\named.exe
PRC - [2011/06/21 11:08:54 | 010,749,952 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe
PRC - [2011/02/24 21:35:42 | 001,857,536 | ---- | M] (MailEnable Pty Ltd) -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin\MEIMAPS.EXE
PRC - [2011/02/12 03:14:14 | 006,107,136 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Databases\MySQL51\bin\mysqld.exe
PRC - [2011/01/06 18:30:48 | 000,049,230 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\php-cgi.exe
PRC - [2010/11/21 03:24:58 | 000,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\inetsrv\w3wp.exe
PRC - [2008/11/21 14:31:34 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\SHOUTcast\sc_serv.exe
PRC - [2007/03/29 18:28:42 | 000,279,040 | ---- | M] (Doctor Web Ltd.) -- C:\Program Files (x86)\Parallels\Plesk\DrWeb\DrWebCom.exe
PRC - [2006/11/06 16:24:36 | 003,604,480 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\MySQL\bin\mysqld-nt.exe

========== Modules (No Company Name) ==========

MOD - [2011/06/30 17:12:58 | 000,227,840 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\eAccelerator.dll
MOD - [2011/06/30 17:12:50 | 004,439,552 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\php_aps_php.dll
MOD - [2011/06/21 11:08:54 | 010,749,952 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe
MOD - [2011/04/19 16:10:36 | 000,697,344 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\rdbmspp.dll
MOD - [2011/04/06 12:28:00 | 000,075,264 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\runtime.dll
MOD - [2011/03/31 12:14:26 | 002,060,288 | ---- | M] () -- C:\Windows\SysWOW64\libmySQL.dll
MOD - [2011/02/04 07:43:38 | 000,067,584 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\zlib.dll
MOD - [2011/01/06 18:30:54 | 002,076,672 | ---- | M] () -- C:\Windows\SysWOW64\inetsrv\libmySQL.dll
MOD - [2011/01/06 18:30:54 | 002,076,672 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\libmysql.dll
MOD - [2011/01/06 18:30:48 | 004,964,429 | ---- | M] () -- \\?\C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\php5ts.dll
MOD - [2011/01/06 18:30:48 | 000,028,752 | ---- | M] () -- \\?\C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\php5isapi.dll
MOD - [2010/12/10 19:36:44 | 000,984,064 | ---- | M] () -- C:\Windows\SysWOW64\libxml2.dll
MOD - [2010/06/07 08:55:26 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_AdjustablePhaseRotator.dll
MOD - [2009/04/22 23:59:21 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_ImpactClunk.dll
MOD - [2009/04/22 23:59:19 | 000,020,480 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_attenuator_3dB.dll
MOD - [2009/01/22 10:09:42 | 002,887,680 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_breakaway.dll
MOD - [2008/11/28 06:32:56 | 000,380,928 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\lame_enc.dll
MOD - [2008/11/21 14:31:34 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\SHOUTcast\sc_serv.exe
MOD - [2008/10/24 20:06:56 | 000,696,320 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\isapi\isapirewrite4.dll
MOD - [2007/07/04 20:44:00 | 000,450,560 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\ext\ioncube_loader_win_5.2.dll
MOD - [2006/03/12 12:51:02 | 000,540,672 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\aacPlusEnc.drv
MOD - [2004/11/24 18:11:26 | 001,069,056 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\libmysql.dll
MOD - [2004/11/23 01:04:22 | 000,009,216 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\ogg.dll
MOD - [2004/11/23 01:03:06 | 000,140,288 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\vorbis.dll
MOD - [2004/11/05 15:44:26 | 000,057,344 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\SS_agc.dll
MOD - [2003/06/24 03:36:42 | 000,233,472 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\mp3prodec.drv

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/01/26 11:38:11 | 000,350,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV:64bit: - [2010/11/21 03:24:30 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV:64bit: - [2009/07/14 01:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2009/07/14 01:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 01:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2009/07/14 01:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/14 01:39:56 | 000,010,752 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\inetsrv\WMSvc.exe -- (WMSVC)
SRV:64bit: - [2009/07/14 01:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV:64bit: - [2009/04/21 14:16:48 | 000,017,960 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\sysdown.exe -- (sysdown)
SRV - [2011/10/23 20:07:34 | 000,630,784 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/30 17:15:04 | 000,008,192 | ---- | M] (Parallels, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Parallels\Plesk\Admin\bin\Parallels.MonitorSrv.exe -- (ParallelsHealthMonitor)
SRV - [2011/06/30 17:15:04 | 000,007,168 | ---- | M] (Parallels, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Parallels\Plesk\Admin\bin\Parallels.AlarmSrv.exe -- (ParallelsHealthNotifier)
SRV - [2011/06/22 20:05:12 | 003,533,824 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe -- (plesksrv)
SRV - [2011/06/22 20:03:30 | 000,808,960 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PleskControlPanel.exe -- (PleskControlPanel)
SRV - [2011/06/22 20:00:26 | 000,727,040 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PopPassD.exe -- (PopPassD)
SRV - [2011/06/22 05:59:26 | 000,339,968 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\dns\bin\named.exe -- (named)
SRV - [2011/02/24 21:59:26 | 000,131,584 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MELSC.exe -- (MELCS)
SRV - [2011/02/24 21:58:54 | 000,140,288 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEMTA.exe -- (MEMTAS)
SRV - [2011/02/24 21:58:08 | 000,307,200 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEPOPS.exe -- (MEPOPS)
SRV - [2011/02/24 21:57:28 | 000,565,760 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEPOC.exe -- (MEPOCS)
SRV - [2011/02/24 21:55:52 | 000,683,008 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MESMTPC.exe -- (MESMTPCS)
SRV - [2011/02/24 21:35:42 | 001,857,536 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin\MEIMAPS.exe -- (MEIMAPS)
SRV - [2011/02/12 03:14:14 | 006,107,136 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Databases\MySQL51\bin\mysqld.exe -- (MySQL)
SRV - [2010/11/21 03:24:58 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/21 03:24:58 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/21 03:24:58 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/03/29 18:28:42 | 000,279,040 | ---- | M] (Doctor Web Ltd.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\DrWeb\DrWebCom.exe -- (DrWebCom)
SRV - [2006/11/06 16:24:36 | 003,604,480 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\MySQL\bin\mysqld-nt.exe -- (PleskSQLServer)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/08/31 17:00:50 | 000,025,416 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011/03/11 06:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 06:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/21 03:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 03:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:64bit: - [2010/11/21 03:24:00 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2010/11/21 03:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 03:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/21 03:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/07/08 22:07:10 | 000,303,280 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\e1q62x64.sys -- (e1qexpress) Intel®
DRV:64bit: - [2010/02/22 19:02:18 | 000,156,776 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpCISSs2.sys -- (HpCISSs2)
DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 01:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2009/06/10 20:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma) Intel®
DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/04/21 14:16:48 | 000,099,368 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hpqmgmt.sys -- (hpqmgmt)
DRV:64bit: - [2009/03/24 18:31:40 | 000,102,400 | ---- | M] (AMCC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\3wareDrv.sys -- (3wareDrv)
DRV:64bit: - [2008/09/11 01:14:10 | 000,390,000 | ---- | M] (XGI Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xg20grp.sys -- (XGIGraphics_XG2X)
DRV:64bit: - [2008/04/08 17:27:56 | 000,082,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\3wDrv100.sys -- (3wDrv100)
DRV:64bit: - [2005/03/28 10:30:00 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2010/11/21 03:25:11 | 000,115,712 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2009/06/10 21:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{56A46241-208A-469F-9B54-C78FE34E8052}: NameServer = 87.117.198.200,87.117.237.100,87.117.196.200
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/21 01:20:35 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
[2011/11/21 00:53:08 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes
[2011/11/21 00:52:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/21 00:52:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/11/21 00:52:52 | 000,025,416 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/11/21 00:52:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/11/20 21:17:11 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\freight-services-template
[2011/11/20 18:45:29 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\fz3-13218147275710
[2011/11/20 18:43:57 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\FileZilla
[2011/11/20 18:43:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
[2011/11/20 18:43:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileZilla FTP Client
[2011/11/20 04:21:39 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\siteground84
[2011/11/20 02:11:35 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\sambc-up
[2011/11/20 01:47:40 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\SAMBC
[2011/11/19 22:58:54 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\ActiveState
[2011/11/19 01:02:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\DoctorWeb
[2011/11/18 22:04:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2011/11/18 22:04:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/11/17 04:23:18 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Auslogics
[2011/11/17 04:23:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/11/17 04:23:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Auslogics
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Portable Devices
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Photo Viewer
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Photo Viewer
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Player
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Media Player
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Defender
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\twain_32
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\LogFiles
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\CSC
[2011/11/15 02:26:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\freeSSHd
[2011/11/14 15:00:20 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
[2011/11/14 02:41:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmarterTools Inc
[2011/11/14 02:41:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SmarterTools
[2011/11/10 23:36:03 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\default website placeholder
[2011/11/09 12:06:15 | 000,000,000 | ---D | C] -- C:\sam-song.info
[2011/11/08 20:48:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\SpacialAudio
[2011/11/08 20:45:24 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SAM Broadcaster
[2011/11/08 20:45:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpacialAudio
[2011/11/06 00:25:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\MySQL
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\WinRAR
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/11/06 00:21:42 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2011/11/06 00:13:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\zag
[2011/11/06 00:13:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\twitter pal
[2011/11/06 00:13:12 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\pal
[2011/11/06 00:11:46 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Judas Priest - Discography
[2011/11/05 17:40:31 | 000,000,000 | ---D | C] -- C:\MUSIC
[2011/11/05 17:26:23 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Emerald Editor Community
[2011/11/05 17:21:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla Server
[2011/11/05 17:21:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileZilla Server
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SHOUTcast DNAS
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SHOUTcast DNAS
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SHOUTcast
[2011/11/05 17:20:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crimson Editor SVN286M
[2011/11/05 17:20:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crimson Editor SVN286M
[2011/11/05 17:20:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emerald Editor Community
[2011/11/05 00:55:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActivePerl 5.10.1 Build 1007
[2011/11/05 00:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/11/05 00:55:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server
[2011/11/05 00:55:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActiveState ActivePython 2.6 (32-bit)
[2011/11/05 00:54:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parallels
[2011/11/05 00:54:49 | 000,000,000 | ---D | C] -- C:\Recycler
[2011/11/05 00:53:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mail Enable
[2011/11/05 00:53:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mail Enable
[2011/11/05 00:50:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IIS
[2011/11/05 00:47:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Parallels
[2011/11/05 00:47:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySQL
[2011/11/05 00:44:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Parallels
[2011/11/05 00:44:04 | 000,000,000 | ---D | C] -- C:\b7eb390a4ea24c84da5e7424141f38f6
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Reference Assemblies
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\inetpub
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\BestPractices
[2011/11/05 00:27:23 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution

========== Files - Modified Within 30 Days ==========

[2011/11/21 01:20:35 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
[2011/11/21 00:58:17 | 000,302,592 | ---- | M] () -- C:\04dgck9p.exe
[2011/11/21 00:52:55 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/21 00:52:02 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\Backup of vital Plesk settings.job
[2011/11/20 21:53:53 | 000,000,716 | ---- | M] () -- C:\Windows\cedt.INI
[2011/11/20 09:05:03 | 000,001,005 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/20 05:02:10 | 000,001,061 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/20 04:21:25 | 000,142,184 | ---- | M] () -- C:\Users\Administrator\Desktop\siteground84.zip
[2011/11/20 03:38:01 | 000,001,065 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2011/11/20 02:18:18 | 000,002,038 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SAM Broadcaster.lnk
[2011/11/20 02:18:18 | 000,002,014 | ---- | M] () -- C:\Users\Administrator\Desktop\SAM Broadcaster.lnk
[2011/11/20 01:45:45 | 023,393,101 | ---- | M] () -- C:\Users\Administrator\Desktop\sambc-fb-v492.exe
[2011/11/19 23:03:00 | 016,141,874 | ---- | M] () -- C:\Users\Administrator\Desktop\sambc-up.rar
[2011/11/19 01:00:12 | 081,693,992 | ---- | M] () -- C:\Users\Administrator\Desktop\drweb-cureit.exe
[2011/11/18 22:04:14 | 000,003,011 | ---- | M] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/11/18 21:21:27 | 000,728,088 | ---- | M] () -- C:\Users\Administrator\AppData\Local\census.cache
[2011/11/18 21:21:21 | 000,078,877 | ---- | M] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2011/11/18 21:13:37 | 000,000,036 | ---- | M] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2011/11/18 20:46:17 | 000,001,069 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/17 22:50:18 | 000,007,636 | ---- | M] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2011/11/17 16:30:48 | 000,027,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 16:30:48 | 000,027,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 04:23:15 | 000,001,246 | ---- | M] () -- C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
[2011/11/17 02:18:29 | 000,796,548 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/11/17 02:18:29 | 000,674,160 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/11/17 02:18:29 | 000,133,416 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/11/17 02:12:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/17 02:09:05 | 000,267,296 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/11/15 03:01:15 | 000,000,668 | ---- | M] () -- C:\Users\Administrator\Desktop\privatekey.dsa
[2011/11/15 03:01:08 | 000,000,887 | ---- | M] () -- C:\Users\Administrator\Desktop\privatekey.rsa
[2011/11/09 00:08:54 | 000,001,023 | ---- | M] () -- C:\Users\Administrator\Desktop\64k.lnk
[2011/11/09 00:08:01 | 000,001,023 | ---- | M] () -- C:\Users\Administrator\Desktop\32k.lnk
[2011/11/06 00:11:46 | 000,001,706 | ---- | M] () -- C:\Users\Administrator\Desktop\RequestHandler.pal
[2011/11/06 00:11:45 | 000,006,026 | ---- | M] () -- C:\Users\Administrator\Desktop\web20-facebook.pal
[2011/11/06 00:11:45 | 000,005,442 | ---- | M] () -- C:\Users\Administrator\Desktop\web20-twitter.pal
[2011/11/06 00:11:45 | 000,003,479 | ---- | M] () -- C:\Users\Administrator\Desktop\dedications.pal
[2011/11/06 00:11:45 | 000,003,371 | ---- | M] () -- C:\Users\Administrator\Desktop\NowPlayingShow.pal
[2011/11/06 00:11:45 | 000,002,895 | ---- | M] () -- C:\Users\Administrator\Desktop\newdedications.pal
[2011/11/05 17:30:17 | 000,000,933 | ---- | M] () -- C:\Users\Administrator\Desktop\sc_serv - Shortcut.lnk
[2011/11/05 17:20:42 | 000,001,324 | ---- | M] () -- C:\Users\Administrator\Desktop\Crimson Editor SVN286M.lnk
[2011/11/05 16:14:05 | 000,000,316 | ---- | M] () -- C:\Windows\tasks\Automatic update of license keys.job
[2011/11/05 01:17:10 | 000,000,286 | ---- | M] () -- C:\Windows\tasks\Automatic update of license keys on server start.job
[2011/11/05 00:54:54 | 000,001,279 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PP Services Monitor.lnk
[2011/11/05 00:54:54 | 000,000,163 | ---- | M] () -- C:\Users\Public\Desktop\Parallels Panel 10.3.url
[2011/11/05 00:51:15 | 000,781,952 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/11/05 00:51:06 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\.rnd
[2011/11/05 00:49:15 | 000,000,190 | ---- | M] () -- C:\Windows\ODBCINST.INI

========== Files Created - No Company Name ==========

[2011/11/21 00:58:17 | 000,302,592 | ---- | C] () -- C:\04dgck9p.exe
[2011/11/21 00:52:55 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/20 04:21:25 | 000,142,184 | ---- | C] () -- C:\Users\Administrator\Desktop\siteground84.zip
[2011/11/20 01:45:34 | 023,393,101 | ---- | C] () -- C:\Users\Administrator\Desktop\sambc-fb-v492.exe
[2011/11/19 23:03:00 | 016,141,874 | ---- | C] () -- C:\Users\Administrator\Desktop\sambc-up.rar
[2011/11/19 01:00:53 | 081,693,992 | ---- | C] () -- C:\Users\Administrator\Desktop\drweb-cureit.exe
[2011/11/18 22:04:14 | 000,003,011 | ---- | C] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/11/18 21:21:27 | 000,728,088 | ---- | C] () -- C:\Users\Administrator\AppData\Local\census.cache
[2011/11/18 21:21:21 | 000,078,877 | ---- | C] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2011/11/18 21:13:37 | 000,000,036 | ---- | C] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2011/11/17 04:23:15 | 000,001,246 | ---- | C] () -- C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
[2011/11/17 02:11:04 | 000,001,547 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/11/15 03:01:14 | 000,000,668 | ---- | C] () -- C:\Users\Administrator\Desktop\privatekey.dsa
[2011/11/15 02:55:34 | 000,000,887 | ---- | C] () -- C:\Users\Administrator\Desktop\privatekey.rsa
[2011/11/14 12:20:50 | 000,007,636 | ---- | C] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2011/11/09 00:08:24 | 000,001,023 | ---- | C] () -- C:\Users\Administrator\Desktop\64k.lnk
[2011/11/09 00:06:51 | 000,001,023 | ---- | C] () -- C:\Users\Administrator\Desktop\32k.lnk
[2011/11/08 20:45:24 | 000,002,038 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SAM Broadcaster.lnk
[2011/11/08 20:45:24 | 000,002,014 | ---- | C] () -- C:\Users\Administrator\Desktop\SAM Broadcaster.lnk
[2011/11/06 00:11:45 | 000,006,026 | ---- | C] () -- C:\Users\Administrator\Desktop\web20-facebook.pal
[2011/11/06 00:11:45 | 000,005,442 | ---- | C] () -- C:\Users\Administrator\Desktop\web20-twitter.pal
[2011/11/06 00:11:45 | 000,003,479 | ---- | C] () -- C:\Users\Administrator\Desktop\dedications.pal
[2011/11/06 00:11:45 | 000,003,371 | ---- | C] () -- C:\Users\Administrator\Desktop\NowPlayingShow.pal
[2011/11/06 00:11:45 | 000,002,895 | ---- | C] () -- C:\Users\Administrator\Desktop\newdedications.pal
[2011/11/06 00:11:45 | 000,001,706 | ---- | C] () -- C:\Users\Administrator\Desktop\RequestHandler.pal
[2011/11/05 17:33:19 | 000,000,716 | ---- | C] () -- C:\Windows\cedt.INI
[2011/11/05 17:30:17 | 000,000,933 | ---- | C] () -- C:\Users\Administrator\Desktop\sc_serv - Shortcut.lnk
[2011/11/05 17:20:42 | 000,001,324 | ---- | C] () -- C:\Users\Administrator\Desktop\Crimson Editor SVN286M.lnk
[2011/11/05 00:59:12 | 000,001,005 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/05 00:54:54 | 000,001,279 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PP Services Monitor.lnk
[2011/11/05 00:54:54 | 000,000,163 | ---- | C] () -- C:\Users\Public\Desktop\Parallels Panel 10.3.url
[2011/11/05 00:52:19 | 000,000,286 | ---- | C] () -- C:\Windows\tasks\Automatic update of license keys on server start.job
[2011/11/05 00:52:18 | 000,000,326 | ---- | C] () -- C:\Windows\tasks\Backup of vital Plesk settings.job
[2011/11/05 00:52:18 | 000,000,316 | ---- | C] () -- C:\Windows\tasks\Automatic update of license keys.job
[2011/11/05 00:51:45 | 000,001,069 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/05 00:51:45 | 000,001,065 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2011/11/05 00:51:45 | 000,001,061 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/05 00:51:06 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\.rnd
[2011/11/05 00:49:15 | 000,000,190 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2011/03/31 12:14:26 | 002,060,288 | ---- | C] () -- C:\Windows\SysWow64\libmySQL.dll
[2011/03/08 11:20:48 | 000,781,952 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/12/10 19:36:44 | 000,984,064 | ---- | C] () -- C:\Windows\SysWow64\libxml2.dll
[2010/03/20 14:53:14 | 000,353,280 | ---- | C] () -- C:\Windows\SysWow64\pythoncom26.dll
[2010/03/20 14:53:14 | 000,109,568 | ---- | C] () -- C:\Windows\SysWow64\pywintypes26.dll
[2009/07/14 05:42:10 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/31 16:26:42 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\libcurl.dll
[2008/04/12 00:38:10 | 000,114,688 | ---- | C] () -- C:\Windows\SysWow64\myodbc3i.exe
[2008/04/12 00:38:10 | 000,106,496 | ---- | C] () -- C:\Windows\SysWow64\myodbc3m.exe

========== LOP Check ==========

[2011/11/17 04:23:18 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Auslogics
[2011/11/20 19:12:52 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\FileZilla
[2011/11/11 14:31:33 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\MySQL
[2011/11/05 01:17:10 | 000,000,286 | ---- | M] () -- C:\Windows\Tasks\Automatic update of license keys on server start.job
[2011/11/05 16:14:05 | 000,000,316 | ---- | M] () -- C:\Windows\Tasks\Automatic update of license keys.job
[2011/11/21 00:52:02 | 000,000,326 | ---- | M] () -- C:\Windows\Tasks\Backup of vital Plesk settings.job
[2011/11/20 09:05:03 | 000,001,005 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/20 05:02:10 | 000,001,061 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/18 20:46:17 | 000,001,069 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/20 03:38:01 | 000,001,065 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2009/07/14 05:06:36 | 000,024,198 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >