Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows 2003 Server with Backdoor Trojan


  • Please log in to reply

#46
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Did you ever open this in notepad to see what it was doing? c:\windows\system32\usrlogon.cmd


Did you ever delete the folder:

C:\Documents and Settings\xiaopu$

Will autorun delete these:

쳾 File not found: C:\WINDOWS\Temp\ntshrui.dll.

55A71E73 File not found: C:\WINDOWS\system32\55A71E73.sys

DSLservwdw DCOM dfsef fefs dser.. 广东一一五科技有限公司 c:\windows\system32\smxwl.exe

XXXXXX87FC2E28 File not found: C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe x2
  • 0

Advertisements


#47
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Yes ... I did delete C:\Documents and Settings\xiaopu$

I did runcheck and DELETE the following under AutoRuns and emptied teh Recycle bin

쳾 File not found: C:\WINDOWS\Temp\ntshrui.dll.
55A71E73 File not found: C:\WINDOWS\system32\55A71E73.sys
DSLservwdw DCOM dfsef fefs dser.. 广东一一五科技有限公司 c:\windows\system32\smxwl.exe
XXXXXX87FC2E28 File not found: C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe x2

Now I am restarting the Server as we speak ...

Here is the contents of c:\windows\system32\usrlogon.cmd

@Echo Off

Call "%SystemRoot%\Application Compatibility Scripts\SetPaths.Cmd"
If "%_SETPATHS%" == "FAIL" Goto Done

Rem
Rem This is for those scripts that don't need the RootDrive.
Rem

If Not Exist "%SystemRoot%\System32\Usrlogn1.cmd" Goto cont0
Cd /d "%SystemRoot%\Application Compatibility Scripts\Logon"
Call "%SystemRoot%\System32\Usrlogn1.cmd"

:cont0

Rem
Rem Determine the user's home directory drive letter. If this isn't
Rem set, exit.
Rem

Cd /d %SystemRoot%\"Application Compatibility Scripts"
Call RootDrv.Cmd
If "A%RootDrive%A" == "AA" End.Cmd

Rem
Rem Map the User's Home Directory to a Drive Letter
Rem

Net Use %RootDrive% /D >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
if ERRORLEVEL 1 goto SubstErr
goto AfterSubst
:SubstErr
Subst %RootDrive% /d >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
:AfterSubst

Rem
Rem Invoke each Application Script. Application Scripts are automatically
Rem added to UsrLogn2.Cmd when the Installation script is run.
Rem

If Not Exist %SystemRoot%\System32\UsrLogn2.Cmd Goto Cont1

Cd Logon
Call %SystemRoot%\System32\UsrLogn2.Cmd

:Cont1

:Done
  • 0

#48
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

After the restart, I have attached the AutoRuns results ...

Also, here is the OTL after the restart ...

What do you think we should do next ???

OTL logfile created on: 9/4/2012 9:53:30 PM - Run 7
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Dell
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 50.46% Memory free
5.35 Gb Paging File | 4.20 Gb Available in Paging File | 78.48% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 90.49 Gb Free Space | 66.82% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 159.63 Gb Free Space | 29.32% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: st_admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/01 12:25:50 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Dell\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/28 23:47:40 | 003,259,688 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer.exe
PRC - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/04 21:46:21 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/04 21:46:19 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/04 21:46:18 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/04 21:46:17 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/04 21:46:15 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/04 21:46:14 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/04 21:46:13 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/04 21:46:12 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/04 21:46:11 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/04 21:46:11 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/04 21:46:10 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2640\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/07/10 11:01:50 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll
MOD - [2012/07/10 11:00:43 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/07/10 10:59:36 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/07/10 10:59:34 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/07/10 10:59:33 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/07/10 10:59:28 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/07/10 10:59:25 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/07/10 10:59:24 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/07/10 10:59:22 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/07/10 10:59:07 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2008/05/01 21:15:37 | 000,010,240 | ---- | M] () -- D:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Nwsapagent)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (NWCWorkstation)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Irmon)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Iprip)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Ias)
SRV - [2012/08/24 19:00:40 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) [Disabled | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe -- (TeamViewer)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Stopped] -- System32\drivers\dnlg.sys -- (sicomu)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/08/20 01:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120903.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/20 01:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120903.017\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/08 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2010/02/05 21:03:36 | 000,018,080 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/15 02:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 02:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found


FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/04 20:09:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/09/04 20:10:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\st_admin\Application Data\Mozilla\Extensions
[2012/09/04 20:14:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\st_admin\Application Data\Mozilla\Firefox\Profiles\e36jque6.default\extensions
[2012/09/04 20:09:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/08/24 19:01:06 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/24 19:00:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/24 19:00:22 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/09/01 13:33:33 | 000,000,899 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s File not found
O4 - HKCU..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop Components:AutorunsDisabled () -
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/04 20:10:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Mozilla
[2012/09/04 20:10:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Mozilla
[2012/09/04 20:09:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/09/04 20:09:54 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/09/04 20:09:46 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\NirSoft ShellExView
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2012/09/02 13:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\Old
[2012/09/02 13:06:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/01 20:52:29 | 000,121,368 | ---- | C] (DameWare Development LLC) -- C:\WINDOWS\System32\DNTUS26.EXE
[2012/09/01 13:34:55 | 000,000,000 | ---D | C] -- C:\Old
[2012/09/01 12:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\My Documents\Exchange Task Wizard Logs
[2012/08/31 19:01:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Administrative Tools
[2012/08/31 18:52:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IECompatCache
[2012/08/31 18:52:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\PrivacIE
[2012/08/31 18:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Identities
[2012/08/31 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\WINDOWS
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\SendTo
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Recent
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Application Data
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Startup
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\My Documents
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Favorites
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Accessories
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IETldCache
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\Cookies
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Templates
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\PrintHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\NetHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Local Settings
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Symantec
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\PCHealth
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Malwarebytes
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Macromedia
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Adobe
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\AATS
[2012/08/29 21:33:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/08/29 06:02:11 | 000,000,000 | ---D | C] -- C:\Dell
[2012/08/28 17:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 3
[2012/08/28 17:21:27 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer3
[2012/08/27 20:09:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\dwrcssft
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/04 21:51:23 | 001,185,220 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/09/04 21:50:26 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/04 21:50:26 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/04 21:43:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/04 20:09:57 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/09/04 12:00:12 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/09/04 12:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/03 19:43:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/01 13:33:33 | 000,000,899 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/31 23:26:10 | 000,001,716 | -H-- | M] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 19:38:11 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/31 19:26:33 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/31 18:47:30 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 17:48:59 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2012/08/28 21:23:16 | 000,002,838 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/08/27 21:11:40 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/08/27 20:09:55 | 000,000,713 | ---- | M] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:06 | 000,689,826 | ---- | M] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:43 | 001,861,240 | ---- | M] () -- C:\Program Files\DNS.zip
[2012/08/17 17:33:42 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/04 20:09:57 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/08/31 23:26:32 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[2012/08/31 23:24:00 | 000,001,716 | -H-- | C] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 18:55:05 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Event Viewer.lnk
[2012/08/31 18:47:30 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 18:47:30 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Internet Explorer.lnk
[2012/08/31 18:47:14 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Outlook Express.lnk
[2012/08/31 17:50:11 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\st_admin\Desktop\Job Monitor.lnk
[2012/08/31 17:50:10 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Remote Assistance.lnk
[2012/08/27 20:09:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:05 | 000,689,826 | ---- | C] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:41 | 001,861,240 | ---- | C] () -- C:\Program Files\DNS.zip
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2006/12/22 10:52:21 | 000,002,838 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2009/06/13 17:18:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2008/11/19 12:14:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/06/29 14:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/05/14 19:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/07/14 20:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SolarWinds
[2012/08/28 21:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 10:00:00 | 000,032,392 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
[2012/09/04 12:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/04 12:00:12 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job

========== Purity Check ==========



< End of report >

Attached Files


  • 0

#49
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Nothing left now in OTL or Autoruns except those messed up services that all point to C:\WINDOWS\Temp\ntshrui.dll and they are not running.

Let's run the RogueKiller again and see if it still shows hooks.

Do you have any more new users with the $ after their name?

If so check in their C:\Documents and settings\username\ and see if they have anything suspicious.
  • 0

#50
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Just checked in our internal RogueKiller forum and the hooks are probably from Norton.

I'm going to have to go to bed. We have to catch the 7:15 AM ferry tomorrow to go pick up my step-son at the airport in Seattle. I won't be back until late. I will try to get one of the other helpers to step in while I'm gone.

Ron
  • 0

#51
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Thanks Ron ...

I am running Symantec Full Scan now and ley you know how it goes ...

Good night and I will check back with you tomorrow ...
  • 0

#52
havredave

havredave

    GeekU Moderator

  • GeekU Moderator
  • 1,689 posts
Hi rahanna, I'm going to keep an eye on things here for the day while Ron is away, then hand it back to him. Fortunately, I even have a 2003 server sitting next to me for a reference. :)

If anything comes up, or that full scan finds something, do please let me know!
  • 0

#53
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Hi there ...

Symantec Full Scan came back with a Tracking Cookie that was deleted ...

When I ran Malewarebytes earlier this morning, I got the Trojan.Agent.Gen again whereas the key is pointing to a User [ xiaopu$ ] which doesn't exist under Documents and Settings ...

The only suspecious User account is [ siweb$ ] which I still don't know how it is created and whenever I delete it it comes back again ...

What is that User and how it gets created as it show it was created/accessed on 9/4/2012 @ 2:18pm

I have attached a couple of screenshots for the Properties of that user ...

Let me know your thoughts ...

Thanks,


Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.05.01

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
st_admin :: ST-SERVER [administrator]

Protection: Enabled

9/5/2012 7:21:45 AM
mbam-log-2012-09-05 (08-42-19).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 519919
Time elapsed: 51 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|XXXXXX87FC2E28 (Trojan.Agent.Gen) -> Data: C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Thumbnails

  • User_GeneralTab.jpg
  • User_MemberOfTab.jpg

  • 0

#54
havredave

havredave

    GeekU Moderator

  • GeekU Moderator
  • 1,689 posts
I've just been reading through the thread. It's going to take me a bit to catch up, but I'll see what I can come up with.

Do I understand correctly that you're out of the office until this afternoon, or was that a previous week? I'm basically asking if you're on-site or not; I don't want to ask you to do anything that might sever your remote connection.
  • 0

#55
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Most of my work on that server is done remotely ...

The only time that I will be physically there and can physically restart it will be this Friday by 3pm ...

Let me know your thoughts about the Trogan.Agent.Gen and the strange user [ siweb$ ]

Thanks,
  • 0

Advertisements


#56
havredave

havredave

    GeekU Moderator

  • GeekU Moderator
  • 1,689 posts
Just a few things so far:

  • You already touched on the pdk-SYSTEM-<number> folder and the files therein, but I did a little research on them anyway. It turns out they are from the Perl development kit, and that is a standard temporary folder for PDK applications. The SYSTEM is the user account running the PDK application, and the <number> is the process ID of the application. While the PDK is legitimate, the process using the PDK might not be, so it'd be interesting at least to find out what it is. You should be able to use Process Explorer to find this out pretty easily, looking for whatever current number is on that folder. When a PDK application is run with the --clean argument, it creates this process-id-specific folder name; otherwise it uses pdk-SYSTEM (or whatever other user name it's running under).
  • I don't see that you've been asked to include the Extras.txt file that OTL generated on its first run. Would you post that, please? I'd help to know what installed applications we're dealing with, and their versions, which Extras.txt mostly shows.
I have a suspicion about what's going on, but it's just a guess at this point, so I'm going to keep digging.
  • 0

#57
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Thanks for your help and digging into what's going on ...

Here is the Extras.txt dated 9/1/2012 which is the first time I ran OTL


OTL Extras logfile created on: 9/1/2012 12:28:58 PM - Run 4
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Dell
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.85 Gb Available Physical Memory | 42.66% Memory free
5.35 Gb Paging File | 4.10 Gb Available in Paging File | 76.67% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 91.88 Gb Free Space | 67.85% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 159.86 Gb Free Space | 29.36% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: st_admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = comfile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "D:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "D:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

========== Firewall Settings ==========

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{04F59FC7-E7CB-4E48-8923-62E7A436A5AE}" = AAStationInstallConditions
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0ADA2703-45D1-4B0D-9BBB-3DF83C6E7F99}" = AdvisorsAssistantFileTransfer
"{0D61D68B-DF5E-4635-82C7-B0C53F0A581B}" = Microsoft SQL Server 2005 Backward compatibility
"{0DAA9912-3FE2-4B84-B926-8D7F71A8A99A}" = Microsoft SQL Server 2005 Reporting Services (ADVISORSASSIST)
"{21B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{25331195-4E18-11D7-9D73-0008C7223F91}" = Zoom V.92 PCI Voice Faxmodem
"{26A24AE4-039D-4CA4-87B4-2F83217003FF}" = Java™ 7 Update 3
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (BKUPEXEC)
"{314D881D-384C-4A04-993D-F0876D21EAA5}" = Symantec Backup Exec for Windows Servers (Hotfix 10)
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3A0E46D2-D124-48A4-A936-9729FB7715FE}" = Symantec Backup Exec for Windows Servers (Hotfix 20)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40DA090B-64E9-41C9-BC16-6D3BEA5A8E16}" = Symantec Backup Exec for Windows Servers (Hotfix 30)
"{40E27BC4-2003-41C7-B4D3-E636B8DAF969}" = AAUpdateConditions
"{41A01180-D9FD-3428-9FD6-749F4C637CBF}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"{44025E80-44C3-416F-98DC-AE09CCFD57FD}" = Advisors Assistant Version 2 Conversion
"{47653B97-E079-454D-8DB9-B323E388FF93}" = Symantec Endpoint Protection Manager
"{4966AE07-55D8-4D91-85A1-0F97A4DDA603}" = Symantec Backup Exec for Windows Servers (Hotfix 6)
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50BC2CC7-C3E0-4ADB-B5A1-C26CDAA9A99F}" = Symantec Backup Exec for Windows Servers (Hotfix 38)
"{51C3F2C4-2FD8-48C1-8301-E660A6A84992}" = Symantec Backup Exec for Windows Servers (Hotfix 9)
"{520C5E07-E4D0-407D-B94D-E9F2D9208016}" = Acronis True Image Echo Enterprise Server
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5A1A9AB2-2F68-462D-A67D-7C855DFF5EEB}" = Microsoft Network Monitor: NetworkMonitor Parsers 3.4
"{5D42FAD4-3C0B-4CA8-B840-205B83A06125}" = Symantec Backup Exec for Windows Servers (Hotfix 2)
"{5E9E538A-308B-4342-A54E-CE3A8015DB18}" = Advisors Assistant Server Utilities
"{63934E99-A4F7-478C-8BB0-259BB9D78FFF}" = Microsoft Report Viewer Redistributable 2005
"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (PRESENTS)
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{76CF1D9F-2285-48A5-B897-6EB978B221AA}" = Symantec Backup Exec for Windows Servers (Hotfix 13)
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{89C7A9F7-2C31-4739-842D-F037B6C9B674}" = Dell OpenManage Server Administrator
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{905D1B7B-FC03-4A5E-9198-143CA02D9059}" = Advisors Assistant Server Component
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{9111DFCB-DDB2-4E49-8DF7-91F623D14BF6}" = Symantec Backup Exec for Windows Servers (Hotfix 29)
"{91B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{92FCCD86-7737-41CC-A700-7FE6015CE01A}" = Symantec Backup Exec for Windows Servers (Hotfix 27)
"{9A6329B8-9383-4D6F-BC0B-9E8CB1F8B5EA}" = Advisors Assistant Station Program
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CDD9119-D625-4B91-B2D1-11C08D485E44}" = Symantec Backup Exec for Windows Servers (Hotfix 15)
"{9DA4493A-480C-4554-A02C-4B542D33A1D9}" = ManageEngine NetFlow Analyzer 7.5
"{A2F2C44A-869E-4C32-9CEC-E22B1CC91F06}" = Microsoft Network Monitor 3.4
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A98AFBC7-D5A7-46A1-8795-EABE2F55A7D6}" = Microsoft Office Live Meeting 2007
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{B0F9497C-52B4-4686-8E73-74D866BBDF59}" = Microsoft SQL Server 2005 (ADVISORSASSIST)
"{B3C91427-E6A6-405C-980E-1EB3AE1F041D}" = Symantec Backup Exec for Windows Servers (Hotfix 16)
"{BA62EF4E-BD43-4BF8-B10A-72B79ABE195B}" = Symantec Backup Exec for Windows Servers (Service Pack 3)
"{BAAB98AF-E4B6-4A2F-A3D7-296BADB7FE2E}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BEA465C8-2923-42C6-9141-BE44739A6A80}" = Symantec Backup Exec for Windows Servers
"{BEE9E48B-BA8F-48DC-A63E-E0FD477A8FCB}" = Symantec Backup Exec for Windows Servers (Hotfix 11)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}" = Symantec Endpoint Protection
"{C3F5DBA5-ABFC-443E-AA60-928223AADF53}" = Microsoft SQL Server 2005
"{CA3553E0-191B-4E2F-AD3C-82E33CB9D4E4}" = Microsoft Group Policy Management Console with SP1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0FAC044-FBEC-4605-9649-9BF12D977E87}" = Symantec Backup Exec for Windows Servers (Hotfix 24)
"{D147EA10-4361-41A7-A4DB-D84024D06D35}" = Symantec Backup Exec for Windows Servers (Hotfix 35)
"{D6AFA160-5CF3-4C84-A2E6-18615BE014D9}" = ManageEngine OpManager 8.0
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{DFC22BCF-1371-4DF5-B8D3-E2F3B4CCB19A}" = Symantec Backup Exec for Windows Servers (Hotfix 21)
"{E0B27188-A15E-4C64-AE49-85E8EF46184B}" = Reporting Agents (Symantec Corporation)
"{E1A85893-2CF7-4155-9731-453B858A07B0}" = Symantec Backup Exec for Windows Servers (Hotfix 23)
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E65928F8-937C-476E-83CB-16CC3376BA8A}" = Symantec Backup Exec for Windows Servers (Service Pack 2)
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{EA687A74-7AE0-4CB2-B01F-303748E7D5A9}" = Symantec Backup Exec for Windows Servers (Service Pack 1)
"{EA98753C-CB1C-4216-AC09-7EC3D3F62BAF}" = DameWare NT Utilities
"{F07F0BCD-5C6D-4499-9F05-6ED747078A72}" = Windows Support Tools
"{F0E8F664-CAC6-4104-A4F9-4373F0633495}" = AcronisDisk Director Server
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{FF7CF098-176D-4C8E-A39C-E33074252ED8}" = Symantec Backup Exec for Windows Servers (Hotfix 19)
"9161A261-6ABE-4668-BBFA-AD06B3F642CF" = Microsoft Exchange
"ActiveTouchMeetingClient" = WebEx
"Advanced IP Scanner v1.5" = Advanced IP Scanner v1.5
"Advanced Mass Sender 4.3" = Advanced Mass Sender 4.3
"Advisors Assistant 2.8" = Advisors Assistant 2.8
"ATI Display Driver" = ATI Display Driver
"FileZilla Client" = FileZilla Client 3.5.3
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Report Viewer Redistributable 2005" = Microsoft Report Viewer Redistributable 2005
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2010 Tools for Office Runtime (x86)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"Symantec Backup Exec 11.0" = Symantec Backup Exec ™ 11d for Windows Servers
"TeamViewer 3" = TeamViewer 3
"Unlocker" = Unlocker 1.8.7
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/31/2012 9:34:02 PM | Computer Name = ST-SERVER | Source = Userenv | ID = 1030
Description = Windows cannot query for the list of Group Policy objects. Check the
event log for possible messages previously logged by the policy engine that describes
the reason for this.

Error - 8/31/2012 9:44:40 PM | Computer Name = ST-SERVER | Source = Report Server Windows Service (ADVISORSASSIST) | ID = 107
Description = Report Server Windows Service (ADVISORSASSIST) cannot connect to the
report server database.

Error - 8/31/2012 10:08:18 PM | Computer Name = ST-SERVER | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 bpacmd.exe, P2 2005.90.5000.0, P3 4d028050,
P4 bpacmdx, P5 9.0.242.0, P6 4d02804c, P7 7, P8 7a, P9 system.io.filenotfoundexception,
P10 NIL.

Error - 8/31/2012 10:08:27 PM | Computer Name = ST-SERVER | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft SQL Server 2005 Reporting Services -- Error 29552.
UpgradeAdvisor returned -1 . Error message:

Error - 8/31/2012 10:42:09 PM | Computer Name = ST-SERVER | Source = Report Server Windows Service (ADVISORSASSIST) | ID = 107
Description = Report Server Windows Service (ADVISORSASSIST) cannot connect to the
report server database.

Error - 9/1/2012 2:28:52 AM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Unavailable by: Manual
scan. Action: Quarantine failed : Leave Alone failed. Action Description: The
file was deleted successfully.

Error - 9/1/2012 10:42:24 AM | Computer Name = ST-SERVER | Source = Report Server Windows Service (ADVISORSASSIST) | ID = 107
Description = Report Server Windows Service (ADVISORSASSIST) cannot connect to the
report server database.

Error - 9/1/2012 12:32:58 PM | Computer Name = ST-SERVER | Source = Backup Exec | ID = 57860
Description = An error occurred while attempting to log in to the following server:
"ST-SERVER". SQL error number: "000E". SQL error message: "[DBNETLIB][ConnectionOpen
(Invalid Instance()).]Invalid connection. ". For more information, click the following
link: http://eventlookup.v...entLookup.jhtml

Error - 9/1/2012 2:57:15 PM | Computer Name = ST-SERVER | Source = Backup Exec | ID = 34114
Description = Backup Exec Alert: Job Cancellation (Server: "ST-SERVER") (Job: "Daily
Data & Email backup") The job was canceled by user STONE-TAPERT\st_admin. For more
information, click the following link: http://eventlookup.v...entLookup.jhtml

Error - 9/1/2012 3:24:11 PM | Computer Name = ST-SERVER | Source = Report Server Windows Service (ADVISORSASSIST) | ID = 107
Description = Report Server Windows Service (ADVISORSASSIST) cannot connect to the
report server database.

[ Directory Service Events ]
Error - 8/26/2012 10:43:56 PM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/27/2012 9:48:11 AM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/27/2012 10:00:14 AM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/27/2012 10:17:01 AM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/27/2012 10:22:02 AM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/27/2012 10:29:23 AM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 8/27/2012 10:29:25 AM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/27/2012 10:43:53 AM | Computer Name = ST-SERVER | Source = NTDS General | ID = 1126
Description = Active Directory was unable to establish a connection with the global
catalog. Additional Data Error value: 8430 The directory service encountered an internal
failure. Internal ID: 3200c89 User Action: Make sure a global catalog is available
in the forest, and is reachable from this domain controller. You may use the nltest
utility to diagnose this problem.

Error - 8/27/2012 11:00:43 AM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/31/2012 8:48:59 PM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

[ DNS Server Events ]
Error - 8/27/2012 11:23:11 AM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 8/27/2012 11:23:11 AM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone stone-tapert.com. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 8/27/2012 11:10:57 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 8/27/2012 11:10:57 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 8/27/2012 11:10:57 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 8/27/2012 11:10:57 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone stone-tapert.com. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 9/1/2012 3:17:38 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 9/1/2012 3:17:38 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 9/1/2012 3:17:38 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 9/1/2012 3:17:38 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone stone-tapert.com. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

[ File Replication Service Events ]
Error - 7/3/2012 11:14:39 AM | Computer Name = ST-SERVER | Source = NtFrs | ID = 13571
Description = The File Replication Service has detected that one or more volumes
on this computer have the same Volume Serial Number. File Replication Service does
not support this configuration. Files may not replicate until this conflict is
resolved. Volume Serial Number : a81a-1662 List of volumes that have this Volume
Serial Number: c:, c: The output of "dir" command displays the Volume Serial Number
before
listing the contents of the folder.

[ System Events ]
Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7022
Description = The System Event Notification service hung on starting.

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The Ias service terminated with the following error: %%126

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The Iprip service terminated with the following error: %%126

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The Irmon service terminated with the following error: %%126

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The NWCWorkstation service terminated with the following error: %%126

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The Nwsapagent service terminated with the following error: %%126

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The TrkSvr service terminated with the following error: %%126

Error - 9/1/2012 3:23:23 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7023
Description = The WmdmPmSp service terminated with the following error: %%126

Error - 9/1/2012 3:23:49 PM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
crcdisk


< End of report >
  • 0

#58
havredave

havredave

    GeekU Moderator

  • GeekU Moderator
  • 1,689 posts
While they may be inconsequential at this point, your installed versions of Adobe Reader and Java are out of date.

Java has a known and current bug which isn't even fixed in the newest 1.7u7 version though (you have 1.7u3), so it should be kept disabled in the IE addons list. If you need or want help with disabling that, let me know. It might be used internally for Java-enabled websites though, so you might not be able to disable it. Just take it under advisement.

I'm still looking and researching. I might not be able to come up with anything useful today as I do this from work and am a bit busy, but I'll try. If nothing else, hopefully I can help Ron nudge things a little further along :)
  • 0

#59
havredave

havredave

    GeekU Moderator

  • GeekU Moderator
  • 1,689 posts
If you would, go ahead and run Malwarebytes' Anti-Malware again, and let it remove the svchsot.exe entry that it finds. The only problem here is I believe MBAM will want to reboot the machine. I don't think this will be a problem though, as it won't prompt other than the one time you'll be able to interact with remotely.

I'll keep looking, though I don't have a lot of time left in my work-day. I go home in 2.5 hours from the time I post this (17:30 MST)

I'd like to see if that entry re-creates itself, so run MBAM one more time after the restart, and let's see if it finds it yet again.
  • 0

#60
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... Still having issues and I hope you can help me out ...

Malicious files started showing again on the Root of Drive C, C:\Recycler and also under c:\Windows\System32

I have noticed the the properties of the hidden files get exposed as seen attached ...

I have attached a screenshot and here is a most recent OTL ...

Please help as we really need to fix that issue ...

Thanks again for all your help and support ...


OTL logfile created on: 9/5/2012 9:55:50 PM - Run 8
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Dell
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.67 Gb Available Physical Memory | 33.68% Memory free
5.35 Gb Paging File | 3.87 Gb Available in Paging File | 72.33% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 90.99 Gb Free Space | 67.19% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 158.67 Gb Free Space | 29.14% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: st_admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found --
PRC - [2012/09/01 12:25:50 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Dell\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/07/03 13:46:42 | 000,973,488 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/28 23:47:40 | 003,259,688 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer.exe
PRC - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/05 21:45:32 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/05 21:45:30 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/05 21:45:29 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/05 21:45:28 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/05 21:45:27 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/05 21:45:26 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/05 21:45:25 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/05 21:45:24 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/05 21:45:24 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/05 21:45:23 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/05 21:45:22 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2680\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/07/10 11:01:50 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll
MOD - [2012/07/10 11:00:43 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/07/10 10:59:36 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/07/10 10:59:34 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/07/10 10:59:33 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/07/10 10:59:28 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/07/10 10:59:25 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/07/10 10:59:24 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/07/10 10:59:22 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/07/10 10:59:07 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (WmdmPmSp)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (TrkSvr)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (쳾)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Nwsapagent)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (NWCWorkstation)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Irmon)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Iprip)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Ias)
SRV - [2012/08/24 19:00:40 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) [Disabled | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe -- (TeamViewer)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Stopped] -- System32\drivers\dnlg.sys -- (sicomu)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/05 21:52:15 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/08/20 01:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120905.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/20 01:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120905.017\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/08 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2010/02/05 21:03:36 | 000,018,080 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/15 02:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 02:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found


FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/04 20:09:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/09/04 20:10:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\st_admin\Application Data\Mozilla\Extensions
[2012/09/04 20:14:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\st_admin\Application Data\Mozilla\Firefox\Profiles\e36jque6.default\extensions
[2012/09/04 20:09:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/08/24 19:01:06 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/24 19:00:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/24 19:00:22 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/09/01 13:33:33 | 000,000,899 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [56B06D10] C:\Documents and Settings\st_admin\WINDOWS\56B06D10\svchsot.exe ()
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s File not found
O4 - HKCU..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop Components:AutorunsDisabled () -
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/05 21:52:15 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/05 21:35:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\RK_Quarantine
[2012/09/05 18:50:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\56B06D10
[2012/09/05 18:50:42 | 000,211,760 | ---- | C] (ESTsoft Corp) -- C:\ssyyms.exe
[2012/09/05 18:50:39 | 000,211,760 | ---- | C] (ESTsoft Corp) -- C:\bootsyyms.exe
[2012/09/05 18:50:38 | 000,211,760 | ---- | C] (ESTsoft Corp) -- C:\WINDOWS\System32\bootsyyms.exe
[2012/09/04 20:10:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Mozilla
[2012/09/04 20:10:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Mozilla
[2012/09/04 20:09:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/09/04 20:09:54 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/09/04 20:09:46 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\NirSoft ShellExView
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2012/09/02 13:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\Old
[2012/09/02 13:06:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/01 20:52:29 | 000,121,368 | ---- | C] (DameWare Development LLC) -- C:\WINDOWS\System32\DNTUS26.EXE
[2012/09/01 13:34:55 | 000,000,000 | ---D | C] -- C:\Old
[2012/09/01 12:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\My Documents\Exchange Task Wizard Logs
[2012/08/31 19:01:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Administrative Tools
[2012/08/31 18:52:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IECompatCache
[2012/08/31 18:52:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\PrivacIE
[2012/08/31 18:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Identities
[2012/08/31 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\WINDOWS
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\SendTo
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Recent
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Application Data
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Startup
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\My Documents
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Favorites
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Accessories
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IETldCache
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\Cookies
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Templates
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\PrintHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\NetHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Local Settings
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Symantec
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\PCHealth
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Malwarebytes
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Macromedia
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Adobe
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\AATS
[2012/08/29 21:33:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/08/29 06:02:11 | 000,000,000 | ---D | C] -- C:\Dell
[2012/08/28 17:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 3
[2012/08/28 17:21:27 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer3
[2012/08/27 20:09:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\dwrcssft
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/05 22:00:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2012/09/05 22:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2012/09/05 21:55:43 | 000,000,145 | ---- | M] () -- C:\WINDOWS\System32\56B06D10.key
[2012/09/05 21:52:15 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/05 21:50:36 | 001,197,703 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/09/05 21:49:41 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/05 21:49:41 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2012/09/05 21:47:26 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2012/09/05 21:43:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/05 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2012/09/05 20:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2012/09/05 19:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2012/09/05 18:51:15 | 000,211,760 | ---- | M] (ESTsoft Corp) -- C:\ssyyms.exe
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/09/05 18:50:45 | 000,211,760 | ---- | M] (ESTsoft Corp) -- C:\bootsyyms.exe
[2012/09/05 18:50:44 | 000,211,760 | ---- | M] (ESTsoft Corp) -- C:\WINDOWS\System32\bootsyyms.exe
[2012/09/05 18:50:34 | 000,000,067 | ---- | M] () -- C:\xpsyyms.exe
[2012/09/05 18:50:33 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\xpsyyms.exe
[2012/09/05 14:33:08 | 000,000,061 | ---- | M] () -- C:\xpfs.exe
[2012/09/05 14:33:05 | 000,000,058 | ---- | M] () -- C:\WINDOWS\System32\xpfs.exe
[2012/09/05 12:00:10 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/09/05 12:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/05 11:24:34 | 000,001,726 | -H-- | M] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/09/05 11:15:17 | 000,000,057 | ---- | M] () -- C:\sh1.exe
[2012/09/05 11:15:17 | 000,000,054 | ---- | M] () -- C:\WINDOWS\System32\sh1.exe
[2012/09/05 11:15:12 | 000,000,060 | ---- | M] () -- C:\xp1.exe
[2012/09/05 11:15:12 | 000,000,057 | ---- | M] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/04 20:09:57 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/09/03 19:43:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/01 13:33:33 | 000,000,899 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/31 19:38:11 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/31 19:26:33 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/31 18:47:30 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 17:48:59 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2012/08/28 21:23:16 | 000,002,838 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/08/27 21:11:40 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/08/27 20:09:55 | 000,000,713 | ---- | M] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:06 | 000,689,826 | ---- | M] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:43 | 001,861,240 | ---- | M] () -- C:\Program Files\DNS.zip
[2012/08/17 17:33:42 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/05 21:53:58 | 000,000,145 | ---- | C] () -- C:\WINDOWS\System32\56B06D10.key
[2012/09/05 21:47:32 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2012/09/05 21:47:31 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2012/09/05 21:47:25 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2012/09/05 18:50:34 | 000,000,067 | ---- | C] () -- C:\xpsyyms.exe
[2012/09/05 18:50:33 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\xpsyyms.exe
[2012/09/05 14:33:12 | 000,026,624 | ---- | C] () -- C:\bootfs.exe
[2012/09/05 14:33:08 | 000,000,061 | ---- | C] () -- C:\xpfs.exe
[2012/09/05 14:33:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\xpfs.exe
[2012/09/05 11:15:17 | 000,000,057 | ---- | C] () -- C:\sh1.exe
[2012/09/05 11:15:17 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\sh1.exe
[2012/09/05 11:15:12 | 000,000,060 | ---- | C] () -- C:\xp1.exe
[2012/09/05 11:15:12 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/04 20:09:57 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/08/31 23:26:32 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[2012/08/31 23:24:00 | 000,001,726 | -H-- | C] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 18:55:05 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Event Viewer.lnk
[2012/08/31 18:47:30 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 18:47:30 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Internet Explorer.lnk
[2012/08/31 18:47:14 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Outlook Express.lnk
[2012/08/31 17:50:11 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\st_admin\Desktop\Job Monitor.lnk
[2012/08/31 17:50:10 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Remote Assistance.lnk
[2012/08/27 20:09:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:05 | 000,689,826 | ---- | C] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:41 | 001,861,240 | ---- | C] () -- C:\Program Files\DNS.zip
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2006/12/22 10:52:21 | 000,002,838 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2009/06/13 17:18:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2008/11/19 12:14:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/06/29 14:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/05/14 19:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/07/14 20:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SolarWinds
[2012/08/28 21:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2012/09/05 19:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2012/09/05 20:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2012/09/05 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2012/09/05 22:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2012/09/05 21:47:26 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2012/09/05 22:00:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2012/09/05 21:47:32 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2012/09/05 18:51:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2012/09/05 12:00:00 | 000,032,374 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
[2012/09/05 12:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/05 12:00:10 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job

========== Purity Check ==========



< End of report >

Attached Thumbnails

  • Infections_01.JPG
  • Infections_02.JPG
  • Infections_03.JPG

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP