Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows 2003 Server with Backdoor Trojan


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I have a hard time reading the screen shot. Let's get the log instead:

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

If you run MBAM again does it find the same things again?

Can you just run a simple OTL Quickscan and post the log? It doesn't do anything but look at your system so shouldn't hurt anything.

Is your norton updating? Does it find anything on a full scan?
  • 0

Advertisements


#17
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... Please find hereinafter the MBAM log for 9/2/2012

As for running the OTL, should I run it with your initial first script ???

Right now I am running a full scan on the C Drive using SEP 11.0.4014 and will update you if it finds anything, but I don't really trust SEP anymore ...

Here is log:


Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.02.06

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
st_admin :: ST-SERVER [administrator]

Protection: Enabled

9/2/2012 1:46:38 PM
mbam-log-2012-09-02 (13-46-38).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 498552
Time elapsed: 49 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|XXXXXX87FC2E28 (Trojan.Agent.Gen) -> Data: C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Just run OTL and click on Quickscan. Don't use a script.

Check in Control panel User Accounts and see if you have a user named:
xiaopu$

Delete if that's the case. If not try to delete the folder: C:\Documents and Settings\xiaopu$
  • 0

#19
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

MalwareBytes Full Scan ............... No Infections

Symantec EndPoint Prootection ........ No Infections

On Friday, I did go through all the User Accounts on the Server and noticed the user [xiaopu$] which had Domain Admin rights so I immediately delete it ...

I just ran OTL Quick Scan and here are the results:

OTL logfile created on: 9/3/2012 10:26:42 AM - Run 5
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Dell
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.23 Gb Available Physical Memory | 11.49% Memory free
5.35 Gb Paging File | 3.75 Gb Available in Paging File | 70.16% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 90.26 Gb Free Space | 66.65% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 159.92 Gb Free Space | 29.37% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: st_admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/01 12:25:50 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Dell\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/07/03 13:46:42 | 000,973,488 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/28 23:47:40 | 003,259,688 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer.exe
PRC - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/02 17:57:01 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/02 17:56:59 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/02 17:56:58 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/02 17:56:56 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/02 17:56:56 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/02 17:56:54 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/02 17:56:53 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/02 17:56:53 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/02 17:56:52 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/02 17:56:51 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/02 17:56:50 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/07/10 11:01:50 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll
MOD - [2012/07/10 11:00:43 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/07/10 10:59:36 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/07/10 10:59:34 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/07/10 10:59:33 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/07/10 10:59:28 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/07/10 10:59:25 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/07/10 10:59:24 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/07/10 10:59:22 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/07/10 10:59:07 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2008/05/01 21:15:37 | 000,010,240 | ---- | M] () -- D:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (WmdmPmSp)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS)
SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\TEMP\Clt-Inst\vpremote.exe -- (VPREMOTE)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (TrkSvr)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (쳾)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Nwsapagent)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (NWCWorkstation)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Irmon)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Iprip)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Ias)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe -- (TeamViewer)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\dnlg.sys -- (sicomu)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\55A71E73.sys -- (55A71E73)
DRV - [2012/09/02 20:49:17 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/08/20 01:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120902.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/20 01:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120902.007\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/08 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2010/02/05 21:03:36 | 000,018,080 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/15 02:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 02:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




O1 HOSTS File: ([2012/09/01 13:33:33 | 000,000,899 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s File not found
O4 - HKCU..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/02 20:49:17 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/02 13:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\Old
[2012/09/02 13:06:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/01 20:52:29 | 000,121,368 | ---- | C] (DameWare Development LLC) -- C:\WINDOWS\System32\DNTUS26.EXE
[2012/09/01 13:34:55 | 000,000,000 | ---D | C] -- C:\Old
[2012/09/01 12:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\My Documents\Exchange Task Wizard Logs
[2012/08/31 19:01:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Administrative Tools
[2012/08/31 18:52:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IECompatCache
[2012/08/31 18:52:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\PrivacIE
[2012/08/31 18:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Identities
[2012/08/31 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\WINDOWS
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\SendTo
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Recent
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Application Data
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Startup
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\My Documents
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Favorites
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Accessories
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IETldCache
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\Cookies
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Templates
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\PrintHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\NetHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Local Settings
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Symantec
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\PCHealth
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Malwarebytes
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Macromedia
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Adobe
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\AATS
[2012/08/29 21:33:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/08/29 06:02:11 | 000,000,000 | ---D | C] -- C:\Dell
[2012/08/28 17:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 3
[2012/08/28 17:21:27 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer3
[2012/08/27 20:09:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\dwrcssft
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/03 07:00:09 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/09/03 07:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/02 20:49:17 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/02 18:01:58 | 001,147,693 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/09/02 18:01:04 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/02 18:01:04 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/02 17:54:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/01 13:33:33 | 000,000,899 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/09/01 12:17:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defragd.job
[2012/09/01 09:53:33 | 000,000,057 | ---- | M] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/01 02:55:01 | 000,000,065 | ---- | M] () -- C:\WINDOWS\System32\xpNET4.0.exe
[2012/09/01 02:44:17 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2012/08/31 23:26:10 | 000,001,716 | -H-- | M] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 19:38:11 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/31 19:26:33 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/31 18:47:30 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 17:49:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/08/31 17:48:59 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2012/08/28 21:23:16 | 000,002,838 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/08/27 21:11:40 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/08/27 20:09:55 | 000,000,713 | ---- | M] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:06 | 000,689,826 | ---- | M] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:43 | 001,861,240 | ---- | M] () -- C:\Program Files\DNS.zip
[2012/08/17 17:33:42 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/01 09:53:33 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/01 02:55:01 | 000,000,065 | ---- | C] () -- C:\WINDOWS\System32\xpNET4.0.exe
[2012/08/31 23:26:32 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[2012/08/31 23:24:00 | 000,001,716 | -H-- | C] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 18:55:05 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Event Viewer.lnk
[2012/08/31 18:47:30 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 18:47:30 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Internet Explorer.lnk
[2012/08/31 18:47:14 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Outlook Express.lnk
[2012/08/31 17:50:11 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\st_admin\Desktop\Job Monitor.lnk
[2012/08/31 17:50:10 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Remote Assistance.lnk
[2012/08/27 20:09:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:05 | 000,689,826 | ---- | C] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:41 | 001,861,240 | ---- | C] () -- C:\Program Files\DNS.zip
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2006/12/22 10:52:21 | 000,002,838 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2009/06/13 17:18:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2008/11/19 12:14:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/06/29 14:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/05/14 19:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/07/14 20:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SolarWinds
[2012/08/28 21:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/09/01 02:44:17 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defrag.job
[2012/09/01 12:17:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defragd.job
[2012/08/31 10:00:00 | 000,032,392 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
[2012/09/03 07:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/03 07:00:09 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job

========== Purity Check ==========



< End of report >
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Du you know what these two tasks do?

[2012/09/01 02:44:17 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defrag.job
[2012/09/01 12:17:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defragd.job

Are they something you started? If not delete them.



We really need to get rid of these:

MOD - [2012/09/02 17:57:01 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/02 17:56:59 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/02 17:56:58 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/02 17:56:56 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/02 17:56:56 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/02 17:56:54 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/02 17:56:53 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/02 17:56:53 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/02 17:56:52 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/02 17:56:51 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/02 17:56:50 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\42db37dadb779dbfc5da8bdd7ec61c52.dll

but I don't see how we can do it without a reboot unless they are added to explorer.

Get

ShellExView.

http://www.nirsoft.n...s/shexview.html
Use this download:
http://www.nirsoft.n...xview_setup.exe

Once you get it installed, run it and look in the third or fourth column from the RIGHT. It should say MICROSOFT. Click once or twice on MICROSOFT so that items with NO are at the top. Now look at the items that are not from Microsoft. If you see any that look suspicious you can highlight them then click on the little red led icon in the upper left. This will disable that entry but it won't take effect until you close Explorer and reopen it. Bring up Task Manager, Processes and see if you can End Process on Explorer.exe. The desktop will disappear. To get it back in Task Manager, File, New Task(Run), type explorer and hit Enter.

If in doubt take a screen shot of the non micorsoft things (make sure it shows the left part of the window.) http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it. Save it as a JPG and attach it to the next post.



Open a command window and type (with an Enter after the line):
sc  delete  55A71E73

(I use two spaces where only one is needed so you can see where the spaces go as the forum font tends to shrink them.) Does it give you an error?



Find some of the bad files like:

xp1.exe
or
xpNET4.0.exe
or
C:\WINDOWS\Temp\pdk-SYSTEM-2760\89f4ac43ba2b792785d9d472365e562b.dll

and submit them to http://virustotal.com

If you don't get 0/42 or so then copy and paste the report into a reply.


What version of Windows are you using at home?
  • 0

#21
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
I have no idea about those two jobs ... Maybe the previous IT guy set them up for defragmentation

[2012/09/01 02:44:17 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defrag.job
[2012/09/01 12:17:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defragd.job

I suspect they are Defragmentation Jobs for Drive [C] and Drive [D]

No problems about rebooting the Server as it is Labor day and no one at the Office so I can do it remotely ...

I will try what you told me and submit the reports and screenshots shortly ...

At home, I use Windows 7 Professional but I do have access to workstations with Windows XP if you need me to copy some files ...

Let me know ...

Thank,
  • 0

#22
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Please find attached the screenshot for the Shell Explorer View report ...

I dragged the Microsoft column to be the 3rd so you can see where the Non-Microsoft items ...

Let me know what you think ...
  • 0

#23
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ...

Here a screenshot for the C:\Windows\Temp

It looks we are getting more of the subfolders:

C:\Windows\Temp\pdk-SYSTEM-2696

C:\Windows\Temp\pdk-SYSTEM-2732

C:\Windows\Temp\pdk-SYSTEM-2760

What do you think creates those folders ??? ... I've tried to delete them and got Access Denied

So, what's your thoughts ???
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP

I have no idea about those two jobs ... Maybe the previous IT guy set them up for defragmentation

[2012/09/01 02:44:17 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defrag.job
[2012/09/01 12:17:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\defragd.job


Go into Control Panel, Scheduled Tasks, It should allow you to look at what the tasks are doing. I ask about them because they have recent dates.

The pdk-System files may not be malware. Seems they can be generated by something called Perl Dev Kit or by some Sophos program.

I still want you to do this:

Find some of the bad files like:

xp1.exe
or
xpNET4.0.exe
or
C:\WINDOWS\Temp\pdk-SYSTEM-2760\89f4ac43ba2b792785d9d472365e562b.dll

and submit them to http://virustotal.com

Then copy and paste the report on each into a reply.

I'm pretty sure that XP uses the same services that 2003 does so open regedit in your XP and your 2003

and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

on each.

Go down this list looking for the service name in the ()'s at the end of the line

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (WmdmPmSp)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (TrkSvr)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (쳾)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Nwsapagent)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (NWCWorkstation)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Irmon)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Iprip)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Ias)

Starting at the top look for WmdmPmSp. Click on it and look in the right pane. On the 2003 you will see one line called ImagePath which refers to C:\WINDOWS\Temp\ntshrui.dll. (It might be in hex to make it harder to read.) Double click on the ImagePath and a little window should open which should allow you to change it. Make it look like the XP. Then find the Start line and make it say the same as the XP. Check if there are other changes and then go on to the next one.
When you get to 쳾 - it's obviously malware so just right click on it and Delete. IF you find that they are the same and there is no reference to C:\WINDOWS\Temp\ntshrui.dll then look for

HKEY_Current_User\SYSTEM\CurrentControlSet\services

These services are all optional so can just be deleted.
  • 0

#25
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I scanned for xp1.exe and fond it under c:\Windows\]System32

The VirusTotal.com report is as follows:

SHA256: 08f6b8bf247fa20fd41a5c777268d2915453a1aeced106d09a78df5a556182b6
SHA1: fdafa493ea47100ea4391e532f5a68aab6b2b53d
MD5: 5f2b84beee67a39337deeb83595145e5
File size: 57 bytes ( 57 bytes )
File name: xp1.exe
File type: Text
Detection ratio: 8 / 42
Analysis date: 2012-09-03 22:45:53 UTC ( 0 minutes ago )

Antivirus Result Update
VirusBuster - 20120901
ViRobot - 20120901
VIPRE - 20120902
VBA32 - 20120901
TrendMicro-HouseCall BAT_DLOAD.XT 20120902
TrendMicro BAT_DLOAD.XT 20120902

TotalDefense - 20120831
TheHacker - 20120902
Symantec - 20120902
SUPERAntiSpyware - 20120901
Sophos Troj/DownBat-A 20120902
Rising - 20120831
PCTools - 20120902
Panda - 20120902
nProtect - 20120902
Norman - 20120831
Microsoft - 20120902
McAfee-GW-Edition - 20120902
McAfee - 20120902
Kaspersky Trojan-Downloader.BAT.Ftp.mf 20120902
K7AntiVirus Trojan 20120831
Jiangmin - 20120902
Ikarus - 20120902
GData - 20120902
Fortinet BAT/Ftp.MF!tr.dldr 20120830
F-Secure - 20120902
F-Prot - 20120901
ESET-NOD32 - 20120901
eSafe - 20120830
Emsisoft - 20120902
DrWeb BAT.DownLoader.58 20120902
Comodo - 20120902
Commtouch - 20120901
ClamAV - 20120828
CAT-QuickHeal TrojanDownloader.Ftper.gen 20120901
ByteHero - 20120831
BitDefender - 20120902
AVG - 20120902
Avast - 20120902
Antiy-AVL - 20120831
AntiVir - 20120902
AhnLab-V3 - 20120901
  • 0

Advertisements


#26
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... Also found xpNET4.0.exe

I have attached a screenshot of the location wwere it also shows the creation date ...

Here are the results when scanned by VirusTotal.com

SHA256: a457c812f4aadc7a89e9186e982476c825a7cb26aef838c2d2a829f5659f26e1
SHA1: f53f4f65fd3e51723e41f3ba015e1e63854b6f2e
MD5: c454a8764237acf607f9cbe4d3960b89
File size: 65 bytes ( 65 bytes )
File name: xpNET4.0.exe
File type: Text
Detection ratio: 5 / 42
Analysis date: 2012-09-03 22:55:27 UTC ( 0 minutes ago )

Antivirus Result Update
AhnLab-V3 - 20120902
AntiVir - 20120902
Antiy-AVL - 20120831
Avast - 20120902
AVG - 20120902
BitDefender - 20120902
ByteHero - 20120831
CAT-QuickHeal TrojanDownloader.Ftper.gen 20120902
ClamAV - 20120828
Commtouch - 20120901
Comodo - 20120902
DrWeb BAT.DownLoader.58 20120902
Emsisoft - 20120902
eSafe - 20120902
ESET-NOD32 - 20120902
F-Prot - 20120901
F-Secure - 20120902
Fortinet BAT/Ftp.MF!tr.dldr 20120830
GData - 20120902
Ikarus - 20120902
Jiangmin - 20120902
K7AntiVirus Trojan 20120831
Kaspersky - 20120902
McAfee - 20120902
McAfee-GW-Edition - 20120902
Microsoft - 20120902
Norman - 20120902
nProtect - 20120902
Panda - 20120902
PCTools - 20120902
Rising - 20120831
Sophos Mal/BatFTP-A 20120902
SUPERAntiSpyware - 20120901
Symantec - 20120902
TheHacker - 20120902
TotalDefense - 20120902
TrendMicro - 20120902
TrendMicro-HouseCall - 20120902
VBA32 - 20120901
VIPRE - 20120902
ViRobot - 20120902
VirusBuster - 20120902
  • 0

#27
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ...

I have scanned random dll files under

C:\WINDOWS\Temp\pdk-SYSTEM-2696

C:\WINDOWS\Temp\pdk-SYSTEM-2732

C:\WINDOWS\Temp\pdk-SYSTEM-2760


All came clean 0/43 based on virustotal.com

You were right that those might be related to a good process and not a malware ...

So, what next so we ccan stop the creation of xp1.exe and the xpNET4.0,exe

I hope we kill it before tomorrow ...

Thanks,
  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a minute for things to settle down.

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.



Get autoruns from
http://live.sysinter...om/autoruns.exe

Download Save and Run the program by right clicking and Run As Admin. File, Save, to your desktop, autoruns.arn, OK

Either zip up the file if you have the ability (7-zip works nicely) or just rename it from autoruns.arn to autoruns.txt then ATTACH it. Do not copy and paste.

I may not be able to open your .arn so do a second Save with file type: txt and name it autoruns2 and attach it too.
  • 0

#29
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... Here is the results of Process Explorer

Process PID CPU Private Bytes Working Set Description Company Name Verified Signer
System Idle Process 0 96.88 0 K 28 K
TeamViewer.exe 3256 1.56 13,256 K 12,604 K TeamViewer Remote Control Application TeamViewer GmbH (Verified) TeamViewer GmbH
procexp.exe 6072 1.56 32,648 K 38,496 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
Interrupts n/a < 0.01 0 K 0 K Hardware Interrupts and DPCs
wmiprvse.exe 4320 1,940 K 2,936 K WMI Microsoft Corporation (Unable to verify) Microsoft Corporation
winlogon.exe 440 9,748 K 5,208 K Windows NT Logon Application Microsoft Corporation (Unable to verify) Microsoft Corporation
w3wp.exe 5328 35,184 K 8,280 K IIS Worker Process Microsoft Corporation (Unable to verify) Microsoft Corporation
TeamViewer_Service.exe 3164 2,628 K 648 K TeamViewer Service TeamViewer GmbH (Verified) TeamViewer GmbH
System 4 0 K 22,916 K
svchost.exe 1036 16,332 K 12,508 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 680 1,020 K 1,044 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 824 1,556 K 2,108 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 924 4,092 K 1,868 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 948 1,380 K 1,284 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 2020 588 K 204 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 2732 544 K 204 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 3132 3,120 K 476 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 3340 1,796 K 204 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 3920 4,140 K 1,192 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 3944 3,896 K 476 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
svchost.exe 5300 4,664 K 2,856 K Generic Host Process for Win32 Services Microsoft Corporation (Unable to verify) Microsoft Corporation
sqlwriter.exe 3116 1,032 K 204 K SQL Server VSS Writer Microsoft Corporation (Verified) Microsoft Corporation
sqlservr.exe 1588 45,476 K 6,468 K SQL Server Windows NT Microsoft Corporation (Verified) Microsoft Corporation
sqlservr.exe 2112 41,084 K 9,672 K SQL Server Windows NT Microsoft Corporation (Verified) Microsoft Corporation
sqlservr.exe 1964 47,792 K 25,280 K SQL Server Windows NT Microsoft Corporation (Verified) Microsoft Corporation
sqlservr.exe 2236 37,256 K 1,300 K SQL Server Windows NT Microsoft Corporation (Verified) Microsoft Corporation
sqlservr.exe 2344 45,104 K 11,340 K SQL Server Windows NT Microsoft Corporation (Verified) Microsoft Corporation
sqlbrowser.exe 3044 756 K 204 K SQL Browser Service EXE Microsoft Corporation (Unable to verify) Microsoft Corporation
spoolsv.exe 1548 8,484 K 3,004 K Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows Component Publisher
snmp.exe 3024 9,848 K 2,516 K SNMP Service Microsoft Corporation (Unable to verify) Microsoft Corporation
smss.exe 364 132 K 260 K Windows NT Session Manager Microsoft Corporation (Verified) Microsoft Windows Component Publisher
SmcGui.exe 2772 8,316 K 6,660 K Symantec CMC SmcGui Symantec Corporation (Verified) Symantec Corporation
Smc.exe 888 10,604 K 7,176 K Symantec CMC Smc Symantec Corporation (Verified) Symantec Corporation
services.exe 492 4,376 K 2,608 K Services and Controller app Microsoft Corporation (Unable to verify) Microsoft Corporation
SemSvc.exe 1240 122,588 K 89,236 K Symantec Endpoint Protection Manager Symantec Corporation (Verified) Symantec Corporation
Rtvscan.exe 3796 15,468 K 5,264 K Symantec AntiVirus Symantec Corporation (Verified) Symantec Corporation
ReportingServicesService.exe 2788 132,068 K 93,452 K Report Scheduling and Delivery Server Windows NT Service Microsoft Corporation (Verified) Microsoft Corporation
ReporterSvc.exe 2760 9,452 K 2,168 K Symantec Reporting Service Symantec Corporation (Verified) Symantec Corporation
pvlsvr.exe 3500 8,076 K 1,964 K Backup Exec PVL Service Symantec Corporation (Verified) Symantec Corporation
ntfrs.exe 2464 10,312 K 1,096 K File Replication Service Microsoft Corporation (Unable to verify) Microsoft Corporation
msftesql.exe 1440 3,768 K 936 K PKM executable Microsoft Corporation (Verified) Microsoft Corporation
msdtc.exe 1576 1,832 K 220 K MS DTCconsole program Microsoft Corporation (Unable to verify) Microsoft Corporation
mr2kserv.exe 1372 492 K 204 K MR2K+ PnP manager interface service LSI Logic Corporation (Unable to verify) LSI Logic Corporation
MDM.EXE 1252 1,080 K 1,064 K Machine Debug Manager Microsoft Corporation (Verified) Microsoft Corporation
mbamservice.exe 1032 169,136 K 124,956 K Malwarebytes Anti-Malware Malwarebytes Corporation (Verified) Malwarebytes Corporation
mbamgui.exe 3880 5,772 K 1,440 K Malwarebytes Anti-Malware Malwarebytes Corporation (Verified) Malwarebytes Corporation
lserver.exe 3212 8,040 K 3,972 K Microsoft Terminal Server Licensing Microsoft Corporation (Unable to verify) Microsoft Corporation
lsass.exe 504 34,948 K 16,072 K LSA Shell Microsoft Corporation (Unable to verify) Microsoft Corporation
locator.exe 2980 752 K 204 K Rpc Locator Microsoft Corporation (Unable to verify) Microsoft Corporation
jqs.exe 1164 3,108 K 1,452 K Java™ Quick Starter Service Oracle Corporation (Verified) Oracle America, Inc.
ismserv.exe 688 1,828 K 980 K Windows NT Intersite Messaging Service Microsoft Corporation (Unable to verify) Microsoft Corporation
inetinfo.exe 384 5,856 K 2,336 K Internet Information Services Microsoft Corporation (Unable to verify) Microsoft Corporation
explorer.exe 1304 21,556 K 26,548 K Windows Explorer Microsoft Corporation (Unable to verify) Microsoft Corporation
exmgmt.exe 3580 7,104 K 344 K Microsoft Exchange WMI Provider Microsoft Corporation (Unable to verify) Microsoft Corporation
dsm_sa_eventmgr32.exe 1908 4,344 K 604 K Systems Management Event Manager Dell Inc. (Verified) Dell Inc
dsm_sa_datamgr32.exe 1932 29,432 K 3,872 K Systems Management Data Manager Dell Inc. (Verified) Dell Inc
dsm_om_shrsvc32.exe 2596 2,168 K 1,228 K Server Administrator Daemon Dell Inc. (Verified) Dell Inc.
dsm_om_connsvc32.exe 3008 27,292 K 12,600 K Internet Server NT Service (Verified) Dell Inc.
dns.exe 2004 24,224 K 7,352 K Domain Name System (DNS) Server Microsoft Corporation (Unable to verify) Microsoft Corporation
dfssvc.exe 1948 1,980 K 2,584 K Windows NT Distributed File System Service Microsoft Corporation (Unable to verify) Microsoft Corporation
dbsrv9.exe 1740 72,288 K 7,188 K Adaptive Server Anywhere Network Server iAnywhere Solutions, Inc. (Verified) iAnywhere Solutions, Inc.
ctfmon.exe 572 728 K 2,184 K CTF Loader Microsoft Corporation (Unable to verify) Microsoft Corporation
csrss.exe 412 1,884 K 1,696 K Client Server Runtime Process Microsoft Corporation (Unable to verify) Microsoft Corporation
ccSvcHst.exe 1832 7,612 K 2,264 K Symantec Service Framework Symantec Corporation (Verified) Symantec Corporation
ccApp.exe 1112 3,808 K 524 K Symantec User Session Symantec Corporation (Verified) Symantec Corporation
beserver.exe 4336 121,160 K 97,156 K Backup Exec RPC Server Symantec Corporation (Verified) Symantec Corporation
beremote.exe 1788 11,324 K 3,728 K Backup Exec Remote Agent for Windows NT/2000 Symantec Corporation (Verified) Symantec Corporation
bengine.exe 5044 12,248 K 2,468 K Backup Exec Job Engine Symantec Corporation (Verified) Symantec Corporation
benetns.exe 4960 3,844 K 2,960 K Backup Exec Agent Browser Symantec Corporation (Verified) Symantec Corporation
AASCServer.exe 1688 11,396 K 848 K AASCServer Client Marketing Systems, Inc. (Unable to verify) Client Marketing Systems, Inc.
  • 0

#30
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ...

I ran AutoRuns and renames Autoruns.arn to Autoruns.txt then zipped it and attached ...

Also, I took a screenshot which has a bunch of the issues that we are experiencing ...

Let me know what's next ...

Thanks a million !!!

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP