I run a windows 2008 server and I just happened to notice that someone was logged into my FTP, unfortunatley they gained access to all of my C drive as I had the folder permissions set like that as I was transferring a lot of files and needed that kind of access (I know, not too smart).
I managed to kick and ban the user and deleted the account in question but not before said person had a nice poke around and possibly uploaded/dowloaded files.
I can post the FTP log so you can see what files the person had access to and what he attempted to upload if that helps. Please let me know.
The thing that has me really worried is the following email notifications that I recieved while this was going on. They are as follows:
Parallels Panel Scheduler notification
Running task: c:\windows\system32\net.exe user admin admin!2010? /add
Started: Fri Nov 18 20:43:47 2011
The task output is attached to the e-mail
Ended with code 2: Fri Nov 18 20:43:47 2011
Running task: c:\windows\system32\net.exe localgroup administrators admin /add
Started: Fri Nov 18 20:44:11 2011
The task output is attached to the e-mail
Ended successfully: Fri Nov 18 20:44:11 2011
Running task: net.exe user admin adMIN.!2011? /add
Started: Fri Nov 18 20:45:32 2011
The task output is attached to the e-mail
Ended with code 2: Fri Nov 18 20:45:33 2011
Running task: c:\windows\system32\net.exe user admin adMIN.!2011? /add
Started: Fri Nov 18 20:45:57 2011
The task output is attached to the e-mail
Ended with code 2: Fri Nov 18 20:45:57 2011
*The text file that came with the notification on the second one as described above contained the following:
The command completed successfully.
That has me very worried.
I have already changed passwords for my plesk admin panel and also all databases.
Here is a copy of the OTL output:
OTL logfile created on: 18/11/2011 22:33:00 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.97 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 54.21% Memory free
7.93 Gb Paging File | 5.93 Gb Available in Paging File | 74.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.76 Gb Total Space | 294.95 Gb Free Space | 63.33% Space Free | Partition Type: NTFS
Computer Name: IS-15487 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/11/18 22:31:33 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
PRC - [2011/10/23 20:07:58 | 001,044,992 | ---- | M] (FileZilla Project) -- C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe
PRC - [2011/10/23 20:07:34 | 000,630,784 | ---- | M] (FileZilla Project) -- C:\Program Files (x86)\FileZilla Server\FileZilla server.exe
PRC - [2011/10/01 19:50:02 | 001,347,584 | ---- | M] (Emerald Editor Community) -- C:\Program Files (x86)\Emerald Editor Community\Crimson Editor SVN286M\cedt.exe
PRC - [2011/09/27 20:36:00 | 010,758,656 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe
PRC - [2011/06/30 16:56:12 | 000,041,472 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\php-cgi.exe
PRC - [2011/06/22 20:05:12 | 003,533,824 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe
PRC - [2011/06/22 20:04:24 | 000,736,256 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\traymonitor.exe
PRC - [2011/06/22 20:03:30 | 000,808,960 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PleskControlPanel.exe
PRC - [2011/06/22 20:00:26 | 000,727,040 | ---- | M] (Parallels, Inc.) -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PopPassD.exe
PRC - [2011/06/22 05:59:26 | 000,339,968 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\dns\bin\named.exe
PRC - [2011/02/24 21:35:42 | 001,857,536 | ---- | M] (MailEnable Pty Ltd) -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin\MEIMAPS.EXE
PRC - [2011/02/12 03:14:14 | 006,107,136 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Databases\MySQL51\bin\mysqld.exe
PRC - [2011/01/06 18:30:48 | 000,049,230 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\php-cgi.exe
PRC - [2010/11/21 03:24:58 | 000,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\inetsrv\w3wp.exe
PRC - [2009/09/10 01:31:44 | 001,360,072 | ---- | M] () -- C:\Program Files (x86)\freeSSHd\FreeSSHDService.exe
PRC - [2008/11/21 14:31:34 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\SHOUTcast\sc_serv.exe
PRC - [2007/03/29 18:28:42 | 000,279,040 | ---- | M] (Doctor Web Ltd.) -- C:\Program Files (x86)\Parallels\Plesk\DrWeb\DrWebCom.exe
PRC - [2006/11/06 16:24:36 | 003,604,480 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\MySQL\bin\mysqld-nt.exe
========== Modules (No Company Name) ==========
MOD - [2011/09/27 20:36:00 | 010,758,656 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\SAMBC.exe
MOD - [2011/09/20 00:33:48 | 001,069,056 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\libmysql.dll
MOD - [2011/09/20 00:33:44 | 000,540,672 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\aacPlusEnc.drv
MOD - [2011/09/20 00:33:44 | 000,380,928 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\lame_enc.dll
MOD - [2011/09/20 00:33:44 | 000,233,472 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\mp3prodec.drv
MOD - [2011/09/20 00:33:44 | 000,140,288 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\vorbis.dll
MOD - [2011/09/20 00:33:44 | 000,057,344 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\SS_agc.dll
MOD - [2011/09/20 00:33:44 | 000,009,216 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\ogg.dll
MOD - [2011/06/30 17:12:58 | 000,227,840 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\eAccelerator.dll
MOD - [2011/06/30 17:12:50 | 004,439,552 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\php_aps_php.dll
MOD - [2011/04/19 16:10:42 | 000,192,512 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\mysqlserver.dll
MOD - [2011/04/19 16:10:36 | 000,697,344 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\rdbmspp.dll
MOD - [2011/04/06 12:28:00 | 000,075,264 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\modules\runtime.dll
MOD - [2011/03/31 12:14:26 | 002,060,288 | ---- | M] () -- C:\Windows\SysWOW64\libmySQL.dll
MOD - [2011/02/04 07:43:38 | 000,067,584 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\zlib.dll
MOD - [2011/01/06 18:30:54 | 002,076,672 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\libmysql.dll
MOD - [2010/12/10 19:36:44 | 000,984,064 | ---- | M] () -- C:\Windows\SysWOW64\libxml2.dll
MOD - [2010/06/07 08:55:26 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_AdjustablePhaseRotator.dll
MOD - [2009/04/22 23:59:21 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_ImpactClunk.dll
MOD - [2009/04/22 23:59:19 | 000,020,480 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_attenuator_3dB.dll
MOD - [2009/01/22 10:09:42 | 002,887,680 | ---- | M] () -- C:\Program Files (x86)\SpacialAudio\SAMBC\plugins\dsp_breakaway.dll
MOD - [2008/11/21 14:31:34 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\SHOUTcast\sc_serv.exe
MOD - [2008/10/24 20:06:56 | 000,696,320 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\isapi\isapirewrite4.dll
MOD - [2007/07/04 20:44:00 | 000,450,560 | ---- | M] () -- C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\ext\ioncube_loader_win_5.2.dll
========== Win32 Services (SafeList) ==========
SRV:64bit: - [2011/01/26 11:38:11 | 000,350,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV:64bit: - [2010/11/21 03:24:30 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV:64bit: - [2009/07/14 01:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2009/07/14 01:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 01:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2009/07/14 01:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/14 01:39:56 | 000,010,752 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\inetsrv\WMSvc.exe -- (WMSVC)
SRV:64bit: - [2009/07/14 01:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV:64bit: - [2009/04/21 14:16:48 | 000,017,960 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\sysdown.exe -- (sysdown)
SRV - [2011/10/23 20:07:34 | 000,630,784 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2011/06/30 17:15:04 | 000,008,192 | ---- | M] (Parallels, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Parallels\Plesk\Admin\bin\Parallels.MonitorSrv.exe -- (ParallelsHealthMonitor)
SRV - [2011/06/30 17:15:04 | 000,007,168 | ---- | M] (Parallels, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Parallels\Plesk\Admin\bin\Parallels.AlarmSrv.exe -- (ParallelsHealthNotifier)
SRV - [2011/06/22 20:05:12 | 003,533,824 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\plesksrv.exe -- (plesksrv)
SRV - [2011/06/22 20:03:30 | 000,808,960 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PleskControlPanel.exe -- (PleskControlPanel)
SRV - [2011/06/22 20:00:26 | 000,727,040 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\admin\bin\PopPassD.exe -- (PopPassD)
SRV - [2011/06/22 05:59:26 | 000,339,968 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\dns\bin\named.exe -- (named)
SRV - [2011/02/24 21:59:26 | 000,131,584 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MELSC.exe -- (MELCS)
SRV - [2011/02/24 21:58:54 | 000,140,288 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEMTA.exe -- (MEMTAS)
SRV - [2011/02/24 21:58:08 | 000,307,200 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEPOPS.exe -- (MEPOPS)
SRV - [2011/02/24 21:57:28 | 000,565,760 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MEPOC.exe -- (MEPOCS)
SRV - [2011/02/24 21:55:52 | 000,683,008 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin64\MESMTPC.exe -- (MESMTPCS)
SRV - [2011/02/24 21:35:42 | 001,857,536 | ---- | M] (MailEnable Pty Ltd) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Bin\MEIMAPS.exe -- (MEIMAPS)
SRV - [2011/02/12 03:14:14 | 006,107,136 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\Databases\MySQL51\bin\mysqld.exe -- (MySQL)
SRV - [2010/11/21 03:24:58 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/21 03:24:58 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/21 03:24:58 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/10 01:31:44 | 001,360,072 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\freeSSHd\FreeSSHDService.exe -- (FreeSSHDService)
SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/03/29 18:28:42 | 000,279,040 | ---- | M] (Doctor Web Ltd.) [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\DrWeb\DrWebCom.exe -- (DrWebCom)
SRV - [2006/11/06 16:24:36 | 003,604,480 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Parallels\Plesk\MySQL\bin\mysqld-nt.exe -- (PleskSQLServer)
========== Driver Services (SafeList) ==========
DRV:64bit: - [2011/03/11 06:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 06:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/21 03:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 03:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:64bit: - [2010/11/21 03:24:00 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2010/11/21 03:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 03:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/21 03:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/07/08 22:07:10 | 000,303,280 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\e1q62x64.sys -- (e1qexpress) Intel®
DRV:64bit: - [2010/02/22 19:02:18 | 000,156,776 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpCISSs2.sys -- (HpCISSs2)
DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 01:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2009/06/10 20:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma) Intel®
DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/04/21 14:16:48 | 000,099,368 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hpqmgmt.sys -- (hpqmgmt)
DRV:64bit: - [2009/03/24 18:31:40 | 000,102,400 | ---- | M] (AMCC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\3wareDrv.sys -- (3wareDrv)
DRV:64bit: - [2008/09/11 01:14:10 | 000,390,000 | ---- | M] (XGI Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xg20grp.sys -- (XGIGraphics_XG2X)
DRV:64bit: - [2008/04/08 17:27:56 | 000,082,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\3wDrv100.sys -- (3wDrv100)
DRV:64bit: - [2005/03/28 10:30:00 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2010/11/21 03:25:11 | 000,115,712 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2009/06/10 21:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{56A46241-208A-469F-9B54-C78FE34E8052}: NameServer = 87.117.198.200,87.117.237.100,87.117.196.200
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/11/18 22:31:33 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
[2011/11/18 22:04:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2011/11/18 22:04:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/11/17 04:23:18 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Auslogics
[2011/11/17 04:23:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/11/17 04:23:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Auslogics
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Portable Devices
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Photo Viewer
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Photo Viewer
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Player
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Media Player
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Defender
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\twain_32
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\LogFiles
[2011/11/17 02:07:22 | 000,000,000 | ---D | C] -- C:\Windows\CSC
[2011/11/15 02:26:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\freeSSHd
[2011/11/15 02:26:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\freeSSHd
[2011/11/14 15:00:20 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
[2011/11/14 02:41:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmarterTools Inc
[2011/11/14 02:41:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SmarterTools
[2011/11/10 23:36:03 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\default website placeholder
[2011/11/09 12:06:15 | 000,000,000 | ---D | C] -- C:\sam-song.info
[2011/11/08 20:48:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\SpacialAudio
[2011/11/08 20:45:24 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SAM Broadcaster
[2011/11/08 20:45:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpacialAudio
[2011/11/06 00:25:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\MySQL
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\WinRAR
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/11/06 00:21:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/11/06 00:21:42 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2011/11/06 00:13:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\zag
[2011/11/06 00:13:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\twitter pal
[2011/11/06 00:13:12 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\pal
[2011/11/06 00:11:46 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Judas Priest - Discography
[2011/11/05 17:40:31 | 000,000,000 | ---D | C] -- C:\MUSIC
[2011/11/05 17:26:23 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Emerald Editor Community
[2011/11/05 17:21:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla Server
[2011/11/05 17:21:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileZilla Server
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SHOUTcast DNAS
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SHOUTcast DNAS
[2011/11/05 17:21:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SHOUTcast
[2011/11/05 17:20:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crimson Editor SVN286M
[2011/11/05 17:20:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crimson Editor SVN286M
[2011/11/05 17:20:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emerald Editor Community
[2011/11/05 00:55:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActivePerl 5.10.1 Build 1007
[2011/11/05 00:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/11/05 00:55:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server
[2011/11/05 00:55:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActiveState ActivePython 2.6 (32-bit)
[2011/11/05 00:54:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parallels
[2011/11/05 00:54:49 | 000,000,000 | ---D | C] -- C:\Recycler
[2011/11/05 00:53:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mail Enable
[2011/11/05 00:53:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mail Enable
[2011/11/05 00:50:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IIS
[2011/11/05 00:47:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Parallels
[2011/11/05 00:47:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySQL
[2011/11/05 00:44:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Parallels
[2011/11/05 00:44:04 | 000,000,000 | ---D | C] -- C:\b7eb390a4ea24c84da5e7424141f38f6
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Reference Assemblies
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\inetpub
[2011/11/05 00:41:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\BestPractices
[2011/11/05 00:27:23 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
========== Files - Modified Within 30 Days ==========
[2011/11/18 22:31:33 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.com
[2011/11/18 22:04:14 | 000,003,011 | ---- | M] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/11/18 21:21:27 | 000,728,088 | ---- | M] () -- C:\Users\Administrator\AppData\Local\census.cache
[2011/11/18 21:21:21 | 000,078,877 | ---- | M] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2011/11/18 21:13:37 | 000,000,036 | ---- | M] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2011/11/18 20:46:17 | 000,001,069 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/18 20:46:17 | 000,001,065 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2011/11/18 20:46:16 | 000,001,061 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/18 20:46:16 | 000,001,005 | ---- | M] () -- C:\Windows\tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/18 19:40:30 | 000,000,556 | ---- | M] () -- C:\Windows\cedt.INI
[2011/11/18 00:52:02 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\Backup of vital Plesk settings.job
[2011/11/17 22:50:18 | 000,007,636 | ---- | M] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2011/11/17 16:30:48 | 000,027,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 16:30:48 | 000,027,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 04:23:15 | 000,001,246 | ---- | M] () -- C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
[2011/11/17 02:18:29 | 000,796,548 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/11/17 02:18:29 | 000,674,160 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/11/17 02:18:29 | 000,133,416 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/11/17 02:12:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/17 02:09:05 | 000,267,296 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/11/15 03:01:15 | 000,000,668 | ---- | M] () -- C:\Users\Administrator\Desktop\privatekey.dsa
[2011/11/15 03:01:08 | 000,000,887 | ---- | M] () -- C:\Users\Administrator\Desktop\privatekey.rsa
[2011/11/15 02:26:49 | 000,000,978 | ---- | M] () -- C:\Users\Administrator\Desktop\FreeSSHd.lnk
[2011/11/09 00:08:54 | 000,001,023 | ---- | M] () -- C:\Users\Administrator\Desktop\64k.lnk
[2011/11/09 00:08:01 | 000,001,023 | ---- | M] () -- C:\Users\Administrator\Desktop\32k.lnk
[2011/11/08 21:07:28 | 000,002,052 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SAM Broadcaster.lnk
[2011/11/08 21:07:28 | 000,002,028 | ---- | M] () -- C:\Users\Administrator\Desktop\SAM Broadcaster.lnk
[2011/11/06 00:11:46 | 000,001,706 | ---- | M] () -- C:\Users\Administrator\Desktop\RequestHandler.pal
[2011/11/06 00:11:45 | 000,006,026 | ---- | M] () -- C:\Users\Administrator\Desktop\web20-facebook.pal
[2011/11/06 00:11:45 | 000,005,442 | ---- | M] () -- C:\Users\Administrator\Desktop\web20-twitter.pal
[2011/11/06 00:11:45 | 000,003,479 | ---- | M] () -- C:\Users\Administrator\Desktop\dedications.pal
[2011/11/06 00:11:45 | 000,003,371 | ---- | M] () -- C:\Users\Administrator\Desktop\NowPlayingShow.pal
[2011/11/06 00:11:45 | 000,002,895 | ---- | M] () -- C:\Users\Administrator\Desktop\newdedications.pal
[2011/11/05 17:30:17 | 000,000,933 | ---- | M] () -- C:\Users\Administrator\Desktop\sc_serv - Shortcut.lnk
[2011/11/05 17:20:42 | 000,001,324 | ---- | M] () -- C:\Users\Administrator\Desktop\Crimson Editor SVN286M.lnk
[2011/11/05 16:14:05 | 000,000,316 | ---- | M] () -- C:\Windows\tasks\Automatic update of license keys.job
[2011/11/05 01:17:10 | 000,000,286 | ---- | M] () -- C:\Windows\tasks\Automatic update of license keys on server start.job
[2011/11/05 00:54:54 | 000,001,279 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PP Services Monitor.lnk
[2011/11/05 00:54:54 | 000,000,163 | ---- | M] () -- C:\Users\Public\Desktop\Parallels Panel 10.3.url
[2011/11/05 00:51:15 | 000,781,952 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/11/05 00:51:06 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\.rnd
[2011/11/05 00:49:15 | 000,000,190 | ---- | M] () -- C:\Windows\ODBCINST.INI
========== Files Created - No Company Name ==========
[2011/11/18 22:04:14 | 000,003,011 | ---- | C] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/11/18 21:21:27 | 000,728,088 | ---- | C] () -- C:\Users\Administrator\AppData\Local\census.cache
[2011/11/18 21:21:21 | 000,078,877 | ---- | C] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2011/11/18 21:13:37 | 000,000,036 | ---- | C] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2011/11/17 04:23:15 | 000,001,246 | ---- | C] () -- C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
[2011/11/17 02:11:04 | 000,001,547 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/11/15 03:01:14 | 000,000,668 | ---- | C] () -- C:\Users\Administrator\Desktop\privatekey.dsa
[2011/11/15 02:55:34 | 000,000,887 | ---- | C] () -- C:\Users\Administrator\Desktop\privatekey.rsa
[2011/11/15 02:26:49 | 000,000,978 | ---- | C] () -- C:\Users\Administrator\Desktop\FreeSSHd.lnk
[2011/11/14 12:20:50 | 000,007,636 | ---- | C] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2011/11/09 00:08:24 | 000,001,023 | ---- | C] () -- C:\Users\Administrator\Desktop\64k.lnk
[2011/11/09 00:06:51 | 000,001,023 | ---- | C] () -- C:\Users\Administrator\Desktop\32k.lnk
[2011/11/08 20:45:24 | 000,002,052 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SAM Broadcaster.lnk
[2011/11/08 20:45:24 | 000,002,028 | ---- | C] () -- C:\Users\Administrator\Desktop\SAM Broadcaster.lnk
[2011/11/06 00:11:45 | 000,006,026 | ---- | C] () -- C:\Users\Administrator\Desktop\web20-facebook.pal
[2011/11/06 00:11:45 | 000,005,442 | ---- | C] () -- C:\Users\Administrator\Desktop\web20-twitter.pal
[2011/11/06 00:11:45 | 000,003,479 | ---- | C] () -- C:\Users\Administrator\Desktop\dedications.pal
[2011/11/06 00:11:45 | 000,003,371 | ---- | C] () -- C:\Users\Administrator\Desktop\NowPlayingShow.pal
[2011/11/06 00:11:45 | 000,002,895 | ---- | C] () -- C:\Users\Administrator\Desktop\newdedications.pal
[2011/11/06 00:11:45 | 000,001,706 | ---- | C] () -- C:\Users\Administrator\Desktop\RequestHandler.pal
[2011/11/05 17:33:19 | 000,000,556 | ---- | C] () -- C:\Windows\cedt.INI
[2011/11/05 17:30:17 | 000,000,933 | ---- | C] () -- C:\Users\Administrator\Desktop\sc_serv - Shortcut.lnk
[2011/11/05 17:20:42 | 000,001,324 | ---- | C] () -- C:\Users\Administrator\Desktop\Crimson Editor SVN286M.lnk
[2011/11/05 00:59:12 | 000,001,005 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/05 00:54:54 | 000,001,279 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PP Services Monitor.lnk
[2011/11/05 00:54:54 | 000,000,163 | ---- | C] () -- C:\Users\Public\Desktop\Parallels Panel 10.3.url
[2011/11/05 00:52:19 | 000,000,286 | ---- | C] () -- C:\Windows\tasks\Automatic update of license keys on server start.job
[2011/11/05 00:52:18 | 000,000,326 | ---- | C] () -- C:\Windows\tasks\Backup of vital Plesk settings.job
[2011/11/05 00:52:18 | 000,000,316 | ---- | C] () -- C:\Windows\tasks\Automatic update of license keys.job
[2011/11/05 00:51:45 | 000,001,069 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/05 00:51:45 | 000,001,065 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2011/11/05 00:51:45 | 000,001,061 | ---- | C] () -- C:\Windows\tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/05 00:51:06 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\.rnd
[2011/11/05 00:49:15 | 000,000,190 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2011/03/31 12:14:26 | 002,060,288 | ---- | C] () -- C:\Windows\SysWow64\libmySQL.dll
[2011/03/08 11:20:48 | 000,781,952 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/12/10 19:36:44 | 000,984,064 | ---- | C] () -- C:\Windows\SysWow64\libxml2.dll
[2010/03/20 14:53:14 | 000,353,280 | ---- | C] () -- C:\Windows\SysWow64\pythoncom26.dll
[2010/03/20 14:53:14 | 000,109,568 | ---- | C] () -- C:\Windows\SysWow64\pywintypes26.dll
[2009/07/14 05:42:10 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/31 16:26:42 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\libcurl.dll
[2008/04/12 00:38:10 | 000,114,688 | ---- | C] () -- C:\Windows\SysWow64\myodbc3i.exe
[2008/04/12 00:38:10 | 000,106,496 | ---- | C] () -- C:\Windows\SysWow64\myodbc3m.exe
========== LOP Check ==========
[2011/11/17 04:23:18 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Auslogics
[2011/11/11 14:31:33 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\MySQL
[2011/11/05 01:17:10 | 000,000,286 | ---- | M] () -- C:\Windows\Tasks\Automatic update of license keys on server start.job
[2011/11/05 16:14:05 | 000,000,316 | ---- | M] () -- C:\Windows\Tasks\Automatic update of license keys.job
[2011/11/18 00:52:02 | 000,000,326 | ---- | M] () -- C:\Windows\Tasks\Backup of vital Plesk settings.job
[2011/11/18 20:46:16 | 000,001,005 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #C6586631-C086-43FE-9B96-BA28E52FDCD6.job
[2011/11/18 20:46:16 | 000,001,061 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{712D7996-58AA-4a36-B64D-1809F3794A21}.job
[2011/11/18 20:46:17 | 000,001,069 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{7F9CD2FC-8C81-4f3c-AE0B-BB8C9BA560A7}.job
[2011/11/18 20:46:17 | 000,001,065 | ---- | M] () -- C:\Windows\Tasks\Plesk Scheduler Task #{99254CDC-8EA7-49ee-8A49-FC2A169843B7}.job
[2009/07/14 05:06:36 | 000,024,198 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
< End of report >
Do I also need to post the 'extras' text output ?
Please help me limit any more damage.
Thank you for taking the time to read this and I hope someone can guide me in the right direction.