Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows 2003 Server with Backdoor Trojan


  • Please log in to reply

#106
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Yes. That's the good one. Copy it and then move to c:\windows and Paste it.
  • 0

Advertisements


#107
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Under [HKEY_LOCAL_MACHINE\SYSTEM\WPA]

There is data under each of the following fields

"it"=
"id"=
"ie"=
"md"=

When I looked on the clean server, there is only one line (Default)

Is it safe to delete the [ md ] key ???

How about the other ones ??? ... Should I delete anything else ???
  • 0

#108
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Here is a screenshot of the WPA

Attached Thumbnails

  • WPA_mdKey.JPG

  • 0

#109
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
See if you can delete the md key. We will leave the others for now.
  • 0

#110
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
OK ,,, Deleted ... What's next ...
  • 0

#111
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Do an export of HKLM\SYSTEM\CurrentControlSet\Services\Sens from the good server and attach it.
  • 0

#112
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
OK Ron ...

Here is the Sens.reg but I changed the extension to txt ...

Attached Files


  • 0

#113
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
I need to go as my son is playing the 1st soccer in the season ...

Can we connect again in a couple of hours ???

If you are busy then please send me what needs to be done and I will send you the reports ...

Thanks a million for all your help ...
  • 0

#114
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
No problem. I'm actually enjoying this. This is a new infection for me so it's interesting how it works. I get so tired of zero access rootkits which is what we mostly see these days.
  • 0

#115
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Copy the text in the code box:

/md5start
wscript.exe
clb.dll
sens.dll
cache.txt
wmicuclt.exe 
ntshrui.dll
/md5stop
HKLM\SYSTEM\WPA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sens
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sharedaccess

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes
then Run Scan.

This is just a scan so does not change anything and will not reboot. Copy the log and paste it into a reply.

Take the good sens.reg and put it on the sick server. Right click on it and Merge. Now export KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sens
and attach it to a reply.

Export KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sharedaccess from both PCs and move the one from the good one to the sick one and right click and Merge. Attach both.

Going to bed a bit early tonight so that's all for today.
  • 0

Advertisements


#116
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Here is the OTL report based on the custom scan code that you sent me ...


OTL logfile created on: 9/7/2012 11:23:15 PM - Run 9
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Dell
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.89 Gb Available Physical Memory | 44.53% Memory free
5.35 Gb Paging File | 3.86 Gb Available in Paging File | 72.16% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 93.01 Gb Free Space | 68.69% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 158.28 Gb Free Space | 29.07% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: st_admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/05 23:35:10 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/09/01 12:25:50 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Dell\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/28 23:47:40 | 003,259,688 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer.exe
PRC - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,414,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/05 23:50:20 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/05 23:50:19 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/05 23:50:17 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/05 23:50:16 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/05 23:50:16 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/05 23:50:15 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/05 23:50:14 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/05 23:50:12 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/05 23:50:11 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/05 23:50:11 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/05 23:50:09 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3008\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/07/10 11:01:50 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll
MOD - [2012/07/10 11:00:43 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/07/10 10:59:36 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/07/10 10:59:34 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/07/10 10:59:33 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/07/10 10:59:28 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/07/10 10:59:25 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/07/10 10:59:24 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/07/10 10:59:22 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/07/10 10:59:07 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2008/05/01 21:15:37 | 000,010,240 | ---- | M] () -- D:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (WmdmPmSp)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (TrkSvr)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (º́³¾Íø°²)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Nwsapagent)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (NWCWorkstation)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Irmon)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Iprip)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Ias)
SRV - [2012/09/05 23:35:10 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/08/24 19:00:40 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe -- (TeamViewer)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - [2012/08/20 01:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120907.034\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/20 01:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120907.034\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/08 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2010/02/05 21:03:36 | 000,018,080 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/15 02:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 02:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/04 20:09:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/09/04 20:10:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\st_admin\Application Data\Mozilla\Extensions
[2012/09/04 20:14:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\st_admin\Application Data\Mozilla\Firefox\Profiles\e36jque6.default\extensions
[2012/09/04 20:09:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/08/24 19:01:06 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/24 19:00:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/24 19:00:22 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/09/01 13:33:33 | 000,000,899 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s File not found
O4 - HKLM..\Run: [XXXXXX87FC2E28] C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe File not found
O4 - HKCU..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop Components:AutorunsDisabled () -
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/07 19:17:13 | 000,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\clb.dll
[2012/09/07 18:03:25 | 002,211,928 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\st_admin\Desktop\tdsskiller.exe
[2012/09/06 16:11:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\Logs
[2012/09/06 09:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\My Documents\Downloads
[2012/09/05 23:40:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/05 23:35:56 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/09/05 23:35:56 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/09/05 23:35:43 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/09/05 23:35:42 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/09/05 23:35:42 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/09/05 23:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Sun
[2012/09/05 23:27:52 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/09/05 18:50:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\56B06D10
[2012/09/04 20:10:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Mozilla
[2012/09/04 20:10:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Mozilla
[2012/09/04 20:09:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/09/04 20:09:54 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/09/04 20:09:46 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\NirSoft ShellExView
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2012/09/02 13:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\Old
[2012/09/02 13:06:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/01 20:52:29 | 000,121,368 | ---- | C] (DameWare Development LLC) -- C:\WINDOWS\System32\DNTUS26.EXE
[2012/09/01 13:34:55 | 000,000,000 | ---D | C] -- C:\Old
[2012/09/01 12:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\My Documents\Exchange Task Wizard Logs
[2012/08/31 19:01:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Administrative Tools
[2012/08/31 18:57:05 | 001,864,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2012/08/31 18:57:05 | 001,864,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2012/08/31 18:56:49 | 000,629,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2012/08/31 18:56:48 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2012/08/31 18:56:47 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2012/08/31 18:56:47 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2012/08/31 18:56:47 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2012/08/31 18:56:47 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2012/08/31 18:56:46 | 000,916,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2012/08/31 18:56:42 | 001,212,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2012/08/31 18:56:39 | 006,008,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2012/08/31 18:52:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IECompatCache
[2012/08/31 18:52:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\PrivacIE
[2012/08/31 18:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Identities
[2012/08/31 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\WINDOWS
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\SendTo
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Recent
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Application Data
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Startup
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\My Documents
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Favorites
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Accessories
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IETldCache
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\Cookies
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Templates
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\PrintHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\NetHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Local Settings
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Symantec
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\PCHealth
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Malwarebytes
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Macromedia
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Adobe
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\AATS
[2012/08/29 06:02:11 | 000,000,000 | ---D | C] -- C:\Dell
[2012/08/28 17:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 3
[2012/08/28 17:21:27 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer3
[2012/08/27 20:09:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\dwrcssft
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/07 18:02:42 | 002,211,928 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\st_admin\Desktop\tdsskiller.exe
[2012/09/07 12:00:14 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/07 12:00:10 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/09/07 01:04:48 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/07 01:04:47 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/06 22:39:41 | 000,013,830 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/09/06 16:02:11 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/09/06 16:02:07 | 000,003,952 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/09/05 23:47:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/05 23:35:11 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/09/05 23:35:08 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/09/05 23:35:08 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/09/05 23:35:08 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/09/05 23:35:08 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/09/05 23:35:08 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/09/05 23:35:08 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/09/05 11:24:34 | 000,001,726 | -H-- | M] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/09/04 20:09:57 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/09/03 19:43:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/01 13:33:33 | 000,000,899 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/31 19:38:11 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/31 19:26:51 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/31 18:47:30 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 17:48:59 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2012/08/27 20:09:55 | 000,000,713 | ---- | M] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:06 | 000,689,826 | ---- | M] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:43 | 001,861,240 | ---- | M] () -- C:\Program Files\DNS.zip
[2012/08/17 17:33:42 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/05 23:27:43 | 000,013,830 | ---- | C] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/09/04 20:09:57 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/09/04 20:09:57 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/08/31 23:26:32 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[2012/08/31 23:24:00 | 000,001,726 | -H-- | C] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 18:55:05 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Event Viewer.lnk
[2012/08/31 18:47:30 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 18:47:30 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Internet Explorer.lnk
[2012/08/31 18:47:14 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Outlook Express.lnk
[2012/08/31 17:50:11 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\st_admin\Desktop\Job Monitor.lnk
[2012/08/31 17:50:10 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Remote Assistance.lnk
[2012/08/27 20:09:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:05 | 000,689,826 | ---- | C] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:41 | 001,861,240 | ---- | C] () -- C:\Program Files\DNS.zip
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2006/12/22 10:52:21 | 000,003,952 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== Custom Scans ==========

< MD5 for: CLB.DLL >
[2007/02/18 05:00:00 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=0CF8C48A04404026D673302982B62FC6 -- C:\WINDOWS\clb.dll
[2007/02/18 05:00:00 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=0CF8C48A04404026D673302982B62FC6 -- C:\WINDOWS\system32\clb.dll

< MD5 for: NTSHRUI.DLL >
[2007/02/17 07:03:04 | 000,142,848 | ---- | M] (Microsoft Corporation) MD5=8ABAD57604371E5975D631242173D947 -- C:\Dell\ntshrui.dll
[2007/02/17 07:03:04 | 000,142,848 | ---- | M] (Microsoft Corporation) MD5=8ABAD57604371E5975D631242173D947 -- C:\WINDOWS\ServicePackFiles\i386\ntshrui.dll
[2007/02/18 05:00:00 | 000,142,848 | ---- | M] (Microsoft Corporation) MD5=8ABAD57604371E5975D631242173D947 -- C:\WINDOWS\system32\dllcache\ntshrui.dll
[2007/02/18 05:00:00 | 000,142,848 | ---- | M] (Microsoft Corporation) MD5=8ABAD57604371E5975D631242173D947 -- C:\WINDOWS\system32\ntshrui.dll

< MD5 for: SENS.DLL >
[2007/02/17 03:58:56 | 000,037,376 | ---- | M] (Microsoft Corporation) MD5=97B6172283112AF7451E4ABE83DD6F24 -- C:\WINDOWS\ServicePackFiles\i386\sens.dll
[2007/02/18 05:00:00 | 000,037,376 | ---- | M] (Microsoft Corporation) MD5=97B6172283112AF7451E4ABE83DD6F24 -- C:\WINDOWS\system32\sens.dll

< MD5 for: WSCRIPT.EXE >
[2007/02/17 04:11:38 | 000,114,688 | ---- | M] (Microsoft Corporation) MD5=26380E1E200E899D46695700F257B822 -- C:\WINDOWS\ServicePackFiles\i386\wscript.exe
[2007/02/18 05:00:00 | 000,114,688 | ---- | M] (Microsoft Corporation) MD5=26380E1E200E899D46695700F257B822 -- C:\WINDOWS\system32\wscript.exe

< HKLM\SYSTEM\WPA >
"it" = DC 07 03 00 01 00 0C 00 03 00 20 00 3B 00 A5 02 [binary data]
"id" = 2192ABA5R2JDVPKQ
"ie" =
"sn" = Sharedaccess
"sr" = Sens -- [2007/02/18 05:00:00 | 000,037,376 | ---- | M] (Microsoft Corporation)
"lscan" = 2
"rmd" =

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\EntryHash-P89HHFXDQWKKRX]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\Key-BMX6WFHXGX8MHV2J3R96D]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\Key-DRMTF9PM2DH79VB786QDJ]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\Key-H8C72HJ8XT49BP68R734W]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\Key-PQ36W7YYCY4XM886FCYMF]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\Key-R6W93VJJJFHHR4HHTVX6T]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\Key-TBK2MJ277F2JFRVPHMQ4V]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\ReSigningHash-P89HHFXDQWKKRX]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\SigningHash-P89HHFXDQWKKRX]

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\SigningHash-TCCCW34VHT448J]

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System >
"disablecad" = 0
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"scforceoption" = 0
"shutdownwithoutlogon" = 0
"undockwithoutlogon" = 1
"EnableLUA" = 1

< HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers >
"C:\Program Files\Client Marketing Systems\DataConversion\aav2conv.exe" = RUNASADMIN

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc >

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sens >
"DependOnService" = [binary data]
"Description" = Monitors system events and notifies subscribers to COM+ Event System of these events. If this service is stopped, COM+ Event System subscribers will not receive system event notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
"DisplayName" = System Event Notification
"ErrorControl" = 1
"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs -- [2007/02/18 05:00:00 | 000,014,848 | ---- | M] (Microsoft Corporation)
"ObjectName" = LocalSystem
"Group" = SchedulerGroup
"Start" = 2
"Type" = 32

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sens\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sens\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sens\Enum]

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sharedaccess >

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sharedaccess\Epoch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sharedaccess\Parameters]

< End of report >
  • 0

#117
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I am going to bed too as it has been a looooong day ...

I will check back with you tomorrow ...

Good night !!!
  • 0

#118
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Attached is Goodsens.txt. Download it to the sick server. Rename goodsens.txt to goodsens.reg

Stop the sens service:
sc  stop  sens

right click on goodsens.reg and Merge.
sc  start sens

Use autoruns to remove the bad entries.

open regedit.

leave regedit open and run autoruns. Did the bad entries come back? If they did then run the following command:

tasklist /m > \junk.txt

Attach c:\junk.txt to your next post.

If the bad entries did not come back then export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sens again and attach it to your next post.

Supposedly Morto stores some stuff in \\tsclient\a\a.dll. I am assuming that your server is \\tsclient so let's look for a.dll

Start, Run, cmd, OK

cd \

dir /a /s a.dll > \junk2.dll

(This will take a few minutes to complete as it has to search the whole hard drive)

notepad \junk2.txt

Did it find a.dll? If so attach the c:\junk2.txt file to your next post.
  • 0

#119
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

I couldn't find the goodsens.txt attachment in your last post ...

Can you re-send it please ...

Thanks,
  • 0

#120
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,775 posts
  • MVP
Sorry. Forgot to attach it.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP