Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows 2003 Server with Backdoor Trojan


  • Please log in to reply

#1
rahanna

rahanna

    Member

  • Member
  • PipPip
  • 96 posts
We have a Windows 2003 Server that got infected with a Backdoor Trojan and we cannot get rid of it ...

The Server has Symantec EndPoint Protection 11.04014 and MalwareBytes 1.6.1300

A number of exe files are being dropped into the root folder C:\ and even when I log in Safe Mode and manually delete them, they come back in a different name ... The files include:

boot1.exe
bootNET4.0.exe
xp1.exe
xpNET4.0

They also reside under c:\windows\system32

I have attached a couple of screen shots for the server infection ...

Please let me know how to get rid of it ...

Thanks,

Attached Thumbnails

  • Server_01.JPG

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.



Download, Save and Run (win 7 or Vista => Right click and Run as Admin.) farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.


  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan.
  • Send me the RKreport.txt located on your desktop.

Ron
  • 0

#3
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Thanks for your response ...

Is that safe to run on a Windows 2003 Server ???

Should I be doing that in Safe Mode ???

Please let me know and I will start on the guidelines that you send me ...

Thanks,
  • 0

#4
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... Here is the OTL text file

____________________________________


OTL logfile created on: 9/1/2012 12:28:58 PM - Run 4
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Dell
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.85 Gb Available Physical Memory | 42.66% Memory free
5.35 Gb Paging File | 4.10 Gb Available in Paging File | 76.67% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 91.88 Gb Free Space | 67.85% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 159.86 Gb Free Space | 29.36% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: st_admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/01 12:25:50 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Dell\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/28 23:47:40 | 003,259,688 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer.exe
PRC - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,010,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\oobechk.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/01 12:22:59 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/01 12:22:58 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/01 12:22:57 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/01 12:22:55 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/01 12:22:54 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/01 12:22:53 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/01 12:22:52 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/01 12:22:51 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/01 12:22:50 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/01 12:22:49 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/01 12:22:48 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/07/10 11:01:50 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll
MOD - [2012/07/10 11:00:43 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/07/10 10:59:36 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/07/10 10:59:34 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/07/10 10:59:33 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/07/10 10:59:28 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/07/10 10:59:25 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/07/10 10:59:24 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/07/10 10:59:22 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/07/10 10:59:07 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2008/05/01 21:15:37 | 000,010,240 | ---- | M] () -- D:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (WmdmPmSp)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS)
SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\TEMP\Clt-Inst\vpremote.exe -- (VPREMOTE)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (TrkSvr)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (ºì³¾Íø°²)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Nwsapagent)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (NWCWorkstation)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Irmon)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Iprip)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Ias)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe -- (TeamViewer)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\dnlg.sys -- (sicomu)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\55A71E73.sys -- (55A71E73)
DRV - [2012/08/20 01:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120831.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/20 01:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120831.002\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/08 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2010/02/05 21:03:36 | 000,018,080 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/15 02:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 02:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = C:\dell\homepage\dellhome.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




O1 HOSTS File: ([2012/08/23 00:04:51 | 000,444,015 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15253 more lines...
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s File not found
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: HidServ - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Ias - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Iprip - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Irmon - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Messenger - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: NWCWorkstation - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Nwsapagent - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: SENS - C:\WINDOWS\system32\Sens32.dll (Microsoft Corporation)
NetSvcs: Sharedaccess - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Themes - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: TrkSvr - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: WmdmPmSp - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: helpsvc - C:\WINDOWS\Temp\ntshrui.dll. File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - - File not found
MsConfig - StartUpReg: Acronis Scheduler2 Service - hkey= - key= - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
MsConfig - StartUpReg: AcronisTimounterMonitor - hkey= - key= - D:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe (Acronis)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: TrueImageMonitor.exe - hkey= - key= - D:\Program Files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe (Acronis)
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - C:\WINDOWS\Temp\ntshrui.dll. File not found
SafeBootMin: Ias - C:\WINDOWS\Temp\ntshrui.dll. File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootMin: Symantec Antvirus - Service
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: wd.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootNet: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - C:\WINDOWS\Temp\ntshrui.dll. File not found
SafeBootNet: Messenger - C:\WINDOWS\Temp\ntshrui.dll. File not found
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: nm - C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
SafeBootNet: nm.sys - C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: SharedAccess - C:\WINDOWS\Temp\ntshrui.dll. File not found
SafeBootNet: SmcService - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootNet: Symantec Antvirus - Service
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36BBA8D2-CA5C-4847-81CC-4F807DD86C91} - %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4CF07653-FE0F-11D4-A548-0090278A1BB8} - .NET Framework
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6D69F546-C1AF-4049-AE9E-28627B91D3F5} - %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider
ActiveX: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
ActiveX: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
ActiveX: {A8873309-E944-0828-5066-A2B92B802395} - C:\Documents and Settings\Administrator.STONE-TAPERT\WINDOWS:360Updata.exe
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} - Help and Support Center
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
System Restore Service not available.

========== Files/Folders - Created Within 30 Days ==========

[2012/09/01 12:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\My Documents\Exchange Task Wizard Logs
[2012/08/31 19:01:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Administrative Tools
[2012/08/31 18:57:05 | 001,864,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2012/08/31 18:57:05 | 001,864,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2012/08/31 18:56:49 | 000,629,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2012/08/31 18:56:48 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2012/08/31 18:56:47 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2012/08/31 18:56:47 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2012/08/31 18:56:47 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2012/08/31 18:56:47 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2012/08/31 18:56:46 | 000,916,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2012/08/31 18:56:42 | 001,212,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2012/08/31 18:56:39 | 006,008,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2012/08/31 18:52:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IECompatCache
[2012/08/31 18:52:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\PrivacIE
[2012/08/31 18:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Identities
[2012/08/31 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\WINDOWS
[2012/08/31 17:50:11 | 000,889,416 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\st_admin\Desktop\dotNetFx40_Full_setup.exe
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\SendTo
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Recent
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Application Data
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Startup
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\My Documents
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Favorites
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Accessories
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IETldCache
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\Cookies
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Templates
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\PrintHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\NetHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Local Settings
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Symantec
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\PCHealth
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Malwarebytes
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Macromedia
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Adobe
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\AATS
[2012/08/29 21:33:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/08/29 09:54:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\8CF96123
[2012/08/29 06:02:11 | 000,000,000 | ---D | C] -- C:\Dell
[2012/08/28 17:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 3
[2012/08/28 17:21:27 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer3
[2012/08/27 20:09:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\dwrcssft
[2012/08/08 08:31:36 | 000,679,936 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNAS0MOK.DLL
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/01 12:27:57 | 001,105,492 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/09/01 12:26:59 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/01 12:26:58 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/01 12:20:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/01 12:17:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defragd.job
[2012/09/01 12:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2012/09/01 11:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2012/09/01 10:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2012/09/01 09:53:34 | 000,000,060 | ---- | M] () -- C:\xp1.exe
[2012/09/01 09:53:33 | 000,000,057 | ---- | M] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/01 09:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2012/09/01 08:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2012/09/01 07:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2012/09/01 06:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2012/09/01 05:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2012/09/01 04:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2012/09/01 03:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/09/01 02:55:02 | 000,000,068 | ---- | M] () -- C:\xpNET4.0.exe
[2012/09/01 02:55:01 | 000,000,065 | ---- | M] () -- C:\WINDOWS\System32\xpNET4.0.exe
[2012/09/01 02:44:17 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2012/09/01 02:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/09/01 01:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/09/01 00:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/08/31 23:26:10 | 000,001,716 | -H-- | M] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 23:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2012/08/31 22:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2012/08/31 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2012/08/31 20:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2012/08/31 19:38:11 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/31 19:26:33 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/31 19:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2012/08/31 18:47:30 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 17:49:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/08/31 17:48:59 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2012/08/31 17:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2012/08/31 16:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2012/08/31 15:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2012/08/31 14:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2012/08/31 13:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2012/08/31 12:00:13 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/08/31 12:00:08 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/08/30 18:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2012/08/28 21:23:16 | 000,002,838 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/08/27 21:11:40 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/08/27 20:09:55 | 000,000,713 | ---- | M] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 03:00:01 | 000,000,210 | ---- | M] () -- C:\WINDOWS\tasks\Reboot.job
[2012/08/23 00:45:06 | 000,689,826 | ---- | M] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:43 | 001,861,240 | ---- | M] () -- C:\Program Files\DNS.zip
[2012/08/23 00:04:51 | 000,444,015 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/17 17:33:42 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/01 09:53:34 | 000,000,060 | ---- | C] () -- C:\xp1.exe
[2012/09/01 09:53:33 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/01 02:55:02 | 000,000,068 | ---- | C] () -- C:\xpNET4.0.exe
[2012/09/01 02:55:01 | 000,000,065 | ---- | C] () -- C:\WINDOWS\System32\xpNET4.0.exe
[2012/08/31 23:26:32 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[2012/08/31 23:24:00 | 000,001,716 | -H-- | C] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 18:55:05 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Event Viewer.lnk
[2012/08/31 18:47:30 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 18:47:30 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Internet Explorer.lnk
[2012/08/31 18:47:14 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Outlook Express.lnk
[2012/08/31 17:50:11 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\st_admin\Desktop\Job Monitor.lnk
[2012/08/31 17:50:10 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Remote Assistance.lnk
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2012/08/27 20:09:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:05 | 000,689,826 | ---- | C] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:41 | 001,861,240 | ---- | C] () -- C:\Program Files\DNS.zip
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2006/12/22 10:52:21 | 000,002,838 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: SCSI
Media Type: Fixed hard disk media
Model: DELL PERC 5/i SCSI Disk Device
Partitions: 2
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Fixed hard disk media
Interface type: SCSI
Media Type: Fixed hard disk media
Model: DELL PERC 5/i SCSI Disk Device
Partitions: 1
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 0.00GB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 135.00GB
Starting Offset: 74027520
Hidden sectors: 0


DeviceID: Disk #0, Partition #2
PartitionType: Extended Partition
Bootable: False
BootPartition: False
PrimaryPartition: False
Size: 0.00GB
Starting Offset: 145472302080
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 544.00GB
Starting Offset: 32256
Hidden sectors: 0


< %SYSTEMDRIVE%\*.exe >
[2012/09/01 09:53:34 | 000,000,060 | ---- | M] () -- C:\xp1.exe
[2012/09/01 02:55:02 | 000,000,068 | ---- | M] () -- C:\xpNET4.0.exe

< %systemroot%\assembly\GAC_32\*.ini >

< %systemroot%\assembly\GAC_64\*.ini >

< %SYSTEMDRIVE%\*.exe >
[2012/09/01 09:53:34 | 000,000,060 | ---- | M] () -- C:\xp1.exe
[2012/09/01 02:55:02 | 000,000,068 | ---- | M] () -- C:\xpNET4.0.exe

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2009/12/18 09:24:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\Adobe
[2012/08/31 18:47:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\Identities
[2010/03/18 14:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\Macromedia
[2012/05/29 21:13:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\Malwarebytes
[2012/08/31 19:08:15 | 000,000,000 | --SD | M] -- C:\Documents and Settings\st_admin\Application Data\Microsoft
[2012/08/28 21:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer

< MD5 for: ATAPI.SYS >
[2005/03/25 06:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\i386\sp1.cab:atapi.sys
[2007/02/18 05:00:00 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2007/02/18 00:35:06 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2007/02/17 02:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2007/02/18 05:00:00 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: CSRSS.EXE >
[2007/02/18 05:00:00 | 000,004,096 | ---- | M] (Microsoft Corporation) MD5=7FD73B26623E4AFF9D233E2F87BDD650 -- C:\WINDOWS\system32\csrss.exe

< MD5 for: EXPLORER.EXE >
[2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) MD5=A26C39540F8BE3729846E360E2C57344 -- C:\WINDOWS\explorer.exe
[2007/02/17 02:58:36 | 001,053,184 | ---- | M] (Microsoft Corporation) MD5=A26C39540F8BE3729846E360E2C57344 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

< MD5 for: MSWSOCK.DLL >
[2008/06/20 12:01:39 | 000,257,024 | ---- | M] (Microsoft Corporation) MD5=2FCC6D31B7CED67E659B7C629CEC89D4 -- C:\WINDOWS\$hf_mig$\KB2509553\SP2QFE\mswsock.dll
[2008/06/20 12:01:39 | 000,257,024 | ---- | M] (Microsoft Corporation) MD5=2FCC6D31B7CED67E659B7C629CEC89D4 -- C:\WINDOWS\$hf_mig$\KB2562485\SP2QFE\mswsock.dll
[2008/06/20 12:01:39 | 000,257,024 | ---- | M] (Microsoft Corporation) MD5=2FCC6D31B7CED67E659B7C629CEC89D4 -- C:\WINDOWS\$hf_mig$\KB2647170\SP2QFE\mswsock.dll
[2007/02/18 05:00:00 | 000,256,000 | ---- | M] (Microsoft Corporation) MD5=3EF557D5DC87BBA29593A8D146AE7EFC -- C:\WINDOWS\$NtUninstallKB2509553$\mswsock.dll
[2007/02/17 03:36:58 | 000,256,000 | ---- | M] (Microsoft Corporation) MD5=3EF557D5DC87BBA29593A8D146AE7EFC -- C:\WINDOWS\ServicePackFiles\i386\mswsock.dll
[2008/06/20 11:32:38 | 000,256,000 | ---- | M] (Microsoft Corporation) MD5=9C0BF64484E9D297CB3E96DC22765A82 -- C:\WINDOWS\$NtUninstallKB2647170$\mswsock.dll
[2008/06/20 11:32:38 | 000,256,000 | ---- | M] (Microsoft Corporation) MD5=9C0BF64484E9D297CB3E96DC22765A82 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 11:32:38 | 000,256,000 | ---- | M] (Microsoft Corporation) MD5=9C0BF64484E9D297CB3E96DC22765A82 -- C:\WINDOWS\system32\mswsock.dll

< MD5 for: NWPROVAU.DLL >
[2007/02/17 03:42:38 | 000,140,800 | ---- | M] (Microsoft Corporation) MD5=86000656E85E143991835AAFA84BBDCB -- C:\WINDOWS\ServicePackFiles\i386\nwprovau.dll
[2007/02/18 05:00:00 | 000,140,800 | ---- | M] (Microsoft Corporation) MD5=86000656E85E143991835AAFA84BBDCB -- C:\WINDOWS\system32\nwprovau.dll

< MD5 for: SERVICES.EXE >
[2009/02/03 04:39:50 | 000,112,640 | ---- | M] (Microsoft Corporation) MD5=7990FB9B9A7F37F4413D7B13A1259037 -- C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\services.exe
[2007/02/18 05:00:00 | 000,111,104 | ---- | M] (Microsoft Corporation) MD5=98CD58DA0C7809C8546B9EA8BF3B00FD -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2007/02/17 03:58:58 | 000,111,104 | ---- | M] (Microsoft Corporation) MD5=98CD58DA0C7809C8546B9EA8BF3B00FD -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/03 04:07:32 | 000,113,152 | ---- | M] (Microsoft Corporation) MD5=CF500580CDD83B145646A4DCFCE1CF3C -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/03 04:07:32 | 000,113,152 | ---- | M] (Microsoft Corporation) MD5=CF500580CDD83B145646A4DCFCE1CF3C -- C:\WINDOWS\system32\services.exe

< MD5 for: SVCHOST.EXE >
[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2007/02/17 04:04:26 | 000,014,848 | ---- | M] (Microsoft Corporation) MD5=C09CCFE81DEC9B162533D7184D705682 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2007/02/18 05:00:00 | 000,014,848 | ---- | M] (Microsoft Corporation) MD5=C09CCFE81DEC9B162533D7184D705682 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USER32.DLL >
[2005/03/25 06:00:00 | 000,588,288 | ---- | M] (Microsoft Corporation) MD5=0CB15B516E6B6E1E7C84BBC5CCB20C7A -- C:\WINDOWS\$NtUninstallKB925902_0$\user32.dll
[2007/03/01 23:38:46 | 000,583,680 | ---- | M] (Microsoft Corporation) MD5=1959150096B010BA953A78B0D6B0B4E4 -- C:\WINDOWS\system32\dllcache\user32.dll
[2007/03/01 23:38:46 | 000,583,680 | ---- | M] (Microsoft Corporation) MD5=1959150096B010BA953A78B0D6B0B4E4 -- C:\WINDOWS\system32\user32.dll
[2007/02/18 05:00:00 | 000,583,680 | ---- | M] (Microsoft Corporation) MD5=BEFB689615C62C11EBB085031451B00A -- C:\WINDOWS\$NtUninstallKB925902-v2$\user32.dll
[2007/02/17 04:07:42 | 000,583,680 | ---- | M] (Microsoft Corporation) MD5=BEFB689615C62C11EBB085031451B00A -- C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2007/03/01 23:41:38 | 000,583,680 | ---- | M] (Microsoft Corporation) MD5=C1F63A63AF82E7E5B786B7EF55F08BF7 -- C:\WINDOWS\$hf_mig$\KB925902-v2\SP2QFE\user32.dll

< MD5 for: USERINIT.EXE >
[2007/02/17 04:07:44 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=B5FEB3B971A8B8C81CE9DE65031A87E5 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2007/02/18 05:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=B5FEB3B971A8B8C81CE9DE65031A87E5 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2007/02/17 04:09:06 | 000,528,384 | ---- | M] (Microsoft Corporation) MD5=B4AA8AE0F18E5DFCF99A671A181D3EDC -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2007/02/18 05:00:00 | 000,528,384 | ---- | M] (Microsoft Corporation) MD5=B4AA8AE0F18E5DFCF99A671A181D3EDC -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINRNR.DLL >
[2007/02/17 04:09:14 | 000,017,408 | ---- | M] (Microsoft Corporation) MD5=372097347142B42A6DD0DB68E20C37B2 -- C:\WINDOWS\ServicePackFiles\i386\winrnr.dll
[2007/02/18 05:00:00 | 000,017,408 | ---- | M] (Microsoft Corporation) MD5=372097347142B42A6DD0DB68E20C37B2 -- C:\WINDOWS\system32\winrnr.dll

< C:\Windows\assembly\tmp\U\*.* /s >

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe"
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe"
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/07/02 04:19:30 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/07/02 04:19:30 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/07/02 04:19:30 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe"
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\admin$\Local Settings\Application Data\Google\Chrome\Application\chrome.exe"
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/07/02 04:19:30 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/07/02 04:19:30 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/07/02 04:19:30 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemdrive%\$Recycle.Bin|@;true;true;true >

< End of report >
  • 0

#5
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... These are the results of FSS

Farbar Service Scanner Version: 06-08-2012
Ran by st_admin (administrator) on 01-09-2012 at 12:54:10
Running from "C:\Dell"
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.

tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.


File Check:
========

ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\afd.sys
[2007-02-18 05:00] - [2011-12-27 07:13] - 0150528 ____A (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B


ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\tcpip.sys
[2007-02-18 05:00] - [2009-08-15 02:57] - 0393216 ____A (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3

C:\WINDOWS\system32\dnsrslvr.dll
[2009-04-20 11:38] - [2009-04-20 11:38] - 0045568 ____A (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B


ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\vssvc.exe
[2007-02-18 05:00] - [2007-02-18 05:00] - 0836096 ____A (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916


ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2007-02-17 07:03] - [2007-02-17 07:03] - 0143360 ____A (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5

C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2007-02-17 07:03] - [2007-02-18 05:00] - 0380928 ____A (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C

C:\WINDOWS\system32\es.dll
[2008-04-29 14:33] - [2008-04-29 14:33] - 0247296 ____A (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C

C:\WINDOWS\system32\cryptsvc.dll
[2007-02-18 05:00] - [2007-02-18 05:00] - 0056320 ____A (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4


ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\ipnathlp.dll
[2007-02-18 05:00] - [2007-02-18 05:00] - 0343552 ____A (Microsoft Corporation) 27C6B8C2AFED21C10429A56DB95735F6

C:\WINDOWS\system32\svchost.exe
[2007-02-18 05:00] - [2007-02-18 05:00] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

C:\WINDOWS\system32\rpcss.dll
[2012-05-31 21:11] - [2009-02-09 04:02] - 0486912 ____A (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE



**** End of log ****
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Go into Control panel and look at these tasks:

[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2012/08/29 09:54:57 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At1.job

Most likely they are the cause of your reinfection. Note what files they call. Turn off Task Scheduler or delete all of the tasks if they are not tasks that you scheduled.

Also I am seeing a lot of strange files running from c:\Windows\Temp:

MOD - [2012/09/01 12:22:59 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/01 12:22:58 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/01 12:22:57 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/01 12:22:55 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/01 12:22:54 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/01 12:22:53 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/01 12:22:52 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/01 12:22:51 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/01 12:22:50 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/01 12:22:49 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/01 12:22:48 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2720\42db37dadb779dbfc5da8bdd7ec61c52.dll

These need to go. I would run TFC (if it will work on your server) if not manually delete the folder C:\WINDOWS\Temp\pdk-SYSTEM-2720

Download TFC by OldTimer

http://oldtimer.geekstogo.com/TFC.exe

to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

These do not look good:

NetSvcs: HidServ - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Ias - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Iprip - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Irmon - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Messenger - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: NWCWorkstation - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Nwsapagent - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Sharedaccess - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: Themes - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: TrkSvr - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: WmdmPmSp - C:\WINDOWS\Temp\ntshrui.dll. File not found
NetSvcs: helpsvc - C:\WINDOWS\Temp\ntshrui.dll. File not found


These are mostly services which are not used so you can go into the services Menu and change their Startup Type: to Disabled. See the table at

http://www.blackvipe...stry-file-tool/ for the full service name. Alternatively you can open a Command prompt and type:

sc config HidServ start= disabled

sc config Ias start= disabled

etc.

Then run OTL again just like you did before and post the logs.

We are going out on the boat for a few hours so it will be a while before I can get back to you but I would also try Combofix (It may not want to run on a server but it's worth a shot.)


ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Also the free ESET online scan may help if it will run:
Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a View Report option at the bottom. Click on it and copy and paste the report (even if it says nothing found).
  • 0

#7
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... Here is the RogueKiller Report


RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP 64 / Windows Home Server / Windows Server 2003 (5.2.3790 Service Pack 2) 32 bits version
Started in : Normal mode
User : st_admin [Admin rights]
Mode : Scan -- Date : 09/01/2012 13:00:33

¤¤¤ Bad processes : 2 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : EFI Job Monitor (C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe) -> FOUND
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : EFI Job Monitor (C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-507921405-1364589140-1801674531-1717[...]\Run : EFI Job Monitor (C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-18[...]\Run : EFI Job Monitor (C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x8094F216 -> HOOKED (Unknown @ 0x89BB00B8)
SSDT[14] : NtAlertThread @ 0x8094F1C6 -> HOOKED (Unknown @ 0x89BFF0B8)
SSDT[18] : NtAllocateVirtualMemory @ 0x80843E66 -> HOOKED (Unknown @ 0x89BDB358)
SSDT[45] : NtCreateMutant @ 0x8099468A -> HOOKED (Unknown @ 0x89BF56D8)
SSDT[55] : NtCreateThread @ 0x8094AE42 -> HOOKED (Unknown @ 0x89BDAC80)
SSDT[87] : NtFreeVirtualMemory @ 0x80857600 -> HOOKED (Unknown @ 0x89BEE6A0)
SSDT[93] : NtImpersonateAnonymousToken @ 0x8097490C -> HOOKED (Unknown @ 0x89B99EC8)
SSDT[95] : NtImpersonateThread @ 0x809525DE -> HOOKED (Unknown @ 0x89C210B0)
SSDT[113] : NtMapViewOfSection @ 0x8092D4A8 -> HOOKED (Unknown @ 0x89BC17C0)
SSDT[120] : NtOpenEvent @ 0x8098BA6C -> HOOKED (Unknown @ 0x8A34E778)
SSDT[129] : NtOpenProcessToken @ 0x80968E00 -> HOOKED (Unknown @ 0x89C20EC8)
SSDT[135] : NtOpenThreadToken @ 0x80968E1E -> HOOKED (Unknown @ 0x89B71E28)
SSDT[214] : NtResumeThread @ 0x8094F054 -> HOOKED (Unknown @ 0x89B80D08)
SSDT[221] : NtSetContextThread @ 0x8094CA26 -> HOOKED (Unknown @ 0x89B710B8)
SSDT[237] : NtSetInformationProcess @ 0x80947926 -> HOOKED (Unknown @ 0x89B71EF8)
SSDT[238] : NtSetInformationThread @ 0x80946FC8 -> HOOKED (Unknown @ 0x89B71CD0)
SSDT[262] : NtSuspendProcess @ 0x8094F11A -> HOOKED (Unknown @ 0x89BEF0B8)
SSDT[263] : NtSuspendThread @ 0x8094EF90 -> HOOKED (Unknown @ 0x89BB40B8)
SSDT[266] : NtTerminateProcess @ 0x8094C0A8 -> HOOKED (Unknown @ 0x89BABB48)
SSDT[267] : NtTerminateThread @ 0x8094C2B4 -> HOOKED (Unknown @ 0x89B840B8)
SSDT[277] : NtUnmapViewOfSection @ 0x809234AA -> HOOKED (Unknown @ 0x89BDB0B8)
SSDT[287] : NtWriteVirtualMemory @ 0x8092F23A -> HOOKED (Unknown @ 0x89C03458)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: DELL PERC 5/i SCSI Disk Device +++++
--- User ---
[MBR] 8417170b0114dde7f13fed715f1c682e
[BSP] cb5cc60613382c35dfec4fadfae41fcc : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 70 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 144585 | Size: 138662 Mo
2 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 284125590 | Size: 15 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: DELL PERC 5/i SCSI Disk Device +++++
--- User ---
[MBR] b0aa3f2fd09e0ae4bfe84676f7e901ee
[BSP] f593e851923f1aaa07b37684d62e7ca4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 557560 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

#8
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I had to work on the Server remotely and here are the results:

1. Deleted all suspicious scheduled tasks as per your recommendations ...

2. Tried to delete the suspicious sub-folder under C:\Windows\Temp which is called [ pdk-SYSTEM-2696 ]

Got an [ Access Denied ]

So, I ran TFC v3.1.9.0 and while it was stopping running processes, it crashed my remote access ...

Now I cannot get back to the Server and the only way to to go physically to the Office and restart it ... So, my findings is that TFC doesn't work well on Windows 2003 (see attached screen shot as it halted at stopping processes)

Then, I logged using VPN and connected to another Server on teh same subnet and ran a CMD:> shutdown /r /m \\servername but it didn't restart and gave me:
ServerName: The RPC server is too busy to complete this operation (1723)

I can still ping the Server, but no remote access ...

Do you have any recommendations ???

If not, then I will plan to go to the office tomorrow to continue with our cleaning process ...

I hope you had a nice time on the boat ... Was it a fishing trip ???

Thanks for all the help and support ... I really appreciate it !!!
  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Sorry about TFC. Didn't realize you were remote.

Copy the text in the code box by highlighting and Ctrl + c


:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (ºì³¾Íø°²)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\dnlg.sys -- (sicomu)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\55A71E73.sys -- (55A71E73)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s File not found
O4 - HKCU..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
[2012/08/29 09:54:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\8CF96123
[2012/09/01 12:17:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defragd.job
[2012/09/01 09:53:34 | 000,000,060 | ---- | M] () -- C:\xp1.exe
[2012/09/01 09:53:33 | 000,000,057 | ---- | M] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/01 02:55:02 | 000,000,068 | ---- | M] () -- C:\xpNET4.0.exe
[2012/09/01 02:55:01 | 000,000,065 | ---- | M] () -- C:\WINDOWS\System32\xpNET4.0.exe
[2012/09/01 02:44:17 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2012/08/31 12:00:13 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/08/31 12:00:08 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/08/23 03:00:01 | 000,000,210 | ---- | M] () -- C:\WINDOWS\tasks\Reboot.job
[2012/09/01 09:53:34 | 000,000,060 | ---- | C] () -- C:\xp1.exe
[2012/09/01 09:53:33 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\xp1.exe
[2012/09/01 02:55:02 | 000,000,068 | ---- | C] () -- C:\xpNET4.0.exe
[2012/09/01 02:55:01 | 000,000,065 | ---- | C] () -- C:\WINDOWS\System32\xpNET4.0.exe

:files
c:\*.exe
C:\windows\tasks\at*.job
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
sc config HidServ start= disabled /c
sc config Ias start= disabled /c
sc config Iprip start= disabled /c
sc config Irmon start= disabled /c
sc config Messenger start= disabled /c
sc config NWCWorkstation start= disabled /c
sc config Nwsapagent start= disabled /c
sc config Sacsvr start= disabled /c
sc config SENS start= disabled /c
sc config Sharedaccess start= disabled /c
sc config Themes start= disabled /c
sc config TrkSvr start= disabled /c
sc config WmdmPmSp start= disabled /c
sc config helpsvc start= disabled /c
sc config 55A71E73 start= disabled /c
sc config ºì³¾Íø°² start= disabled /c
sc delete ºì³¾Íø°² /c
C:\WINDOWS\Temp\ntshrui.dll
C:\WINDOWS\Temp\pdk-SYSTEM-2720\

:Commands
[EMPTYTEMP]
[Reboot]


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply. This will also create a file winsock2.reg on your desktop. It is an insurance file. If you can't get on the Internet after the fix, try right clicking on the winsock2.reg and Merge then reboot. If that doesn't help then do a System Restore.
It appears that Old Timer is now hiding the log in c:\_OTL\RemovedFiles\09022012-some number.log if you don't catch it the first time.

This OTL fix removes all of the bad stuff I can see in the first OTL log and disables all of the services which point to C:\WINDOWS\Temp\ntshrui.dll and also clears the temps files. It will want to reboot when done.

Then run another OTL scan just like the last one and let's see how it looks now.

I can get .reg files from my XP and they will probably work to fix the services that were all pointing to C:\WINDOWS\Temp\ntshrui.dll but no point until the malware is dead.

I have several other possibilities but we don't get a lot of servers so I don't know which work. Normally they will just tell you that they don't want to work on a server when you try to run them:


Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

If you have time you can run it again and change it from Quickscan to C:\ then it will scan the whole drive but this will probably take several hours so might be something to do overnight while you sleep.



Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Right click on TDSSKiller.exe and select Run As Administrator to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Since Norton can't handle the bug you might want to try the free Avast. Their boot-time scan is one of the best in the business. If you are a business you aren't supposed to run the free version but you can try it out for free for 30 days.

If you decide to try Avast:

Download and Save the free Avast installer.
http://www.avast.com...ivirus-download
Download and save the norton removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
Uninstall Symantec (save the product license key in case you decide to reinstall it:http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US)

Run the Norton Removal tool.

Reboot

Install Avast. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)
Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It will take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
Text version of the report is at: C:\ProgramData\Avast Software\Avast\report\aswboot.txt



This next one is mostly to see what is broken:
Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.
Reboot.
1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
Please post the Output log in your next reply then repeat but select Application.


We went crabbing. Dropped the pot and floated around for 2 hours and came back and had a bunch but all either female or too small so nothing legal. Had to throw them all back. At least we caught something. Last two times the pot was empty. It's getting close to the end of the season.

We've volunteered to help out in tomorrow's triathlon (we are essentially talking sign posts - go that way! not that way!) so won't be back on line until about noon Pacific time then we have to meet some friends downtown so will probably leave a bit after 2 PM. Probably back by 5. Will check my email for notices when I get up and at noon.
  • 0

#10
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Thanks Ron ...

I will try that in a couple of hours as I need to take my son to a soccer practice ...

BTW - What do you think of GFI Vipre Business compared to Symantec EndPoint Protection ??? ... Do you think I should give them a try compared to AVAST as they have a 30-dys trial and designed to work on Windows Servers ???

Let me know your thoughts and sorry to hear that you didn't catch good size crabs ... I had the same experience while fishing last weekend and my son was disappointed to release the fish back to the ocean ...

Anyway, tell me your thoughts about GFI Vipre Business and I will send you the reports as soon as I can run OTL ...

Take care !!!
  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
IF you are paying for anti-virus then Kaspersky is your best choice with Bitdefender a usually lower priced alternative. We see very few of them in the forum.

Vipre I know nothing about and Norton is a resource hog that is not as effective as it should be.

I have just checked with Avast and their free anti-virus is not going to work on a Windows Server.
  • 0

#12
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... OK, I am on the Server now running OTL with the script that you gave me [ Run Fix ]

It is taking a while killing processes ...

You mentioned "Then run another OTL scan just like the last one and let's see how it looks now."

Do you mean the same script that I am using to [Run Fix] or the very first one that you sent me to [Run Scan]

Please let me know so I can be ready for the next step ...

Thanks,
  • 0

#13
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I am not sure if the OTL with the script that you gave me is still running or it crashed ...

I clicked the [Run Fix] at 12:50pm and now it is 1:25pm and still shows [Killing Processes] ...

What do you think ... Should I wait or restart the Server ???

Please let me know ...

Thanks,
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Expect OTL ran afoul of MalwareBytes. Uninstall MalwareBytes first then try the OTL script again. It shouldn't take very long.

Then run the otl on http://www.geekstogo...ost__p__2200080
  • 0

#15
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I had to leave the office and won't have physical access until Tuesday in the afternoon ...

Currently, I can log remotely but won't be able to run OTL remotely as last time it crashed the server and I had to hard reboot it so it is better to run it when I am physically at the office ...

I ran Malwarebytes and it gave me a Trojan.Agent.Gen that is now quarantined (See attached for 9/2 ) ...

What do you think I should run safely without crashing my Remote Connection ???

Thanks again for all your help and support ...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP