i need some help getting rid of a virus on a server 2008 R2 x64 domain controller/file server.
im using symantec endpoint protection small business 2013.
symantec finds and removes/quaratines the file, but it keeps coming back. as a test, i disconnected the internet, deleted the infected file and it did not reappear. as soon as i plugged the internet back in, the file reappeared.
i rebuilt the host file using hoster.exe and made the file
the file names show as xskd.exe, cjxnd.exe, vmeil.exe. when checking the properties of the files, it shows the owners of different people on the network, ie: one time it showed a user's name, i deleted file, it reappeared and showed the administrator as the owner instead.
ive tried numerous other programs, such as malwarebytes, tdsskiller, sep support tool, avg, avast, combofix, hijackthis, etc. symantec endpoint seems to be the only program so far that blocks the infection.
i used process explorer to try and get more info on the infected files, but it will not see or find the infected files listed above.
the other workstations in the enviroment have endpoint 2013 installed as well and do not show this infection. on the server, the c:\ appears clean, just the d:\ is showing the infections.
the windows firewall is enabled and the router's built-in firewall is active as well.
any thoughts or suggestions on how to get this removed will be greatly appreciated!
below is the log from OLT:
OTL logfile created on: 11/12/2012 1:12:55 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\administrator.RTC\Desktop\Anti Virus
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTDomainController
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
10.00 Gb Total Physical Memory | 7.70 Gb Available Physical Memory | 77.06% Memory free
19.99 Gb Paging File | 18.54 Gb Available in Paging File | 92.71% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 68.23 Gb Total Space | 45.37 Gb Free Space | 66.50% Space Free | Partition Type: NTFS
Drive D: | 341.66 Gb Total Space | 271.54 Gb Free Space | 79.48% Space Free | Partition Type: NTFS
Computer Name: RTC-CINCY | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/11/12 13:10:15 | 000,022,016 | ---- | M] (WhitSoft Development) -- c:\ems_temp\kf51575.exe
PRC - [2012/11/12 12:01:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\administrator.RTC\Desktop\Anti Virus\OTL.exe
PRC - [2012/10/30 09:39:19 | 000,136,784 | ---- | M] (Cisco WebEx LLC) -- C:\Windows\SysWOW64\atashost.exe
PRC - [2012/10/12 14:32:58 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\PlatformAgent32\ccSvcHst.exe
PRC - [2012/10/12 12:10:04 | 000,196,608 | ---- | M] (Kaseya) -- c:\ems_temp\KORepStatus.exe
PRC - [2012/10/12 12:10:04 | 000,196,608 | ---- | M] (Kaseya) -- c:\ems_temp\KORepCln.exe
PRC - [2012/10/08 17:44:47 | 000,212,992 | ---- | M] (Kaseya International Limited) -- c:\ems_temp\KRlyCLis.exe
PRC - [2012/10/08 17:42:17 | 000,196,608 | ---- | M] (Kaseya International Limited) -- c:\ems_temp\KRlyCCon.exe
PRC - [2012/05/16 06:58:52 | 000,484,816 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\AntiVirus\SEPAgent.exe
PRC - [2012/03/21 16:50:54 | 000,409,600 | ---- | M] (Kaseya International Limited) -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\KaUsrTsk.exe
PRC - [2012/03/21 16:50:46 | 000,856,064 | ---- | M] (Kaseya International Limited) -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\AgentMon.exe
PRC - [2011/06/29 18:04:50 | 000,386,864 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2011/06/29 18:02:26 | 001,894,280 | ---- | M] (Acronis) -- c:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
PRC - [2011/06/29 17:44:26 | 004,599,152 | ---- | M] (Acronis) -- c:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
PRC - [2011/06/29 17:39:06 | 000,953,320 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe
PRC - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Rtvscan.exe
PRC - [2009/09/17 18:55:12 | 000,050,544 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\ProtectionUtilSurrogate.exe
PRC - [2009/09/17 18:27:16 | 000,353,608 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\SescLU.exe
PRC - [2009/07/24 23:32:40 | 000,312,736 | ---- | M] (RealVNC Ltd.) -- C:\Program Files (x86)\RealVNC\VNC4\vncclipboard.exe
PRC - [2009/07/24 23:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) -- C:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe
PRC - [2009/07/08 20:14:40 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2007/08/02 01:29:44 | 000,032,768 | ---- | M] (SHARP CORPORATION) -- C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe
PRC - [2007/07/25 17:29:28 | 000,692,224 | ---- | M] (SHARP CORPORATION) -- C:\Program Files (x86)\Sharp\Sharpdesk\FTPServer.exe
PRC - [2007/07/25 17:26:56 | 000,544,768 | ---- | M] (SHARP CORPORATION) -- C:\Program Files (x86)\Sharp\Sharpdesk\nsapp.exe
========== Modules (No Company Name) ==========
MOD - [2011/11/07 13:21:10 | 000,925,696 | ---- | M] () -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\libkacm.dll
MOD - [2007/07/25 17:40:06 | 000,565,248 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\SCprMfpif.dll
MOD - [2007/07/25 17:34:08 | 000,006,144 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\discoveryps.dll
MOD - [2007/07/25 17:32:32 | 000,200,704 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\NSSoap.dll
MOD - [2007/07/25 17:29:40 | 000,212,992 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\FtpServerps.dll
========== Services (SafeList) ==========
SRV:64bit: - [2012/10/12 14:33:00 | 000,191,856 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\PlatformAgent\ccSvcHst.exe -- (SsPaAdm)
SRV:64bit: - [2012/10/12 14:32:58 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\PlatformAgent32\ccSvcHst.exe -- (ssPaSetMgr)
SRV:64bit: - [2012/05/16 06:58:52 | 000,484,816 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\AntiVirus\SEPAgent.exe -- (ssSpnAv)
SRV:64bit: - [2011/12/26 01:45:13 | 000,696,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dns.exe -- (DNS)
SRV:64bit: - [2010/11/20 22:25:21 | 001,020,416 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\ntfrs.exe -- (NtFrs)
SRV:64bit: - [2010/11/20 22:24:34 | 003,489,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\srmsvc.dll -- (SrmSvc)
SRV:64bit: - [2010/11/20 22:24:34 | 000,729,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpssvc.dll -- (DHCPServer)
SRV:64bit: - [2010/11/20 22:24:34 | 000,343,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\WSDScanRepository.dll -- (ScanServer)
SRV:64bit: - [2010/11/20 22:24:34 | 000,076,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\srmhost.exe -- (SrmReports)
SRV:64bit: - [2010/11/20 22:24:30 | 004,518,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dfsrs.exe -- (DFSR)
SRV:64bit: - [2010/11/20 22:24:30 | 000,377,344 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dfssvc.exe -- (Dfs)
SRV:64bit: - [2010/11/20 22:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\ismserv.exe -- (IsmServ)
SRV:64bit: - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Rtvscan.exe -- (Symantec AntiVirus)
SRV:64bit: - [2009/09/17 18:37:56 | 003,197,256 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Smc.exe -- (SmcService)
SRV:64bit: - [2009/09/17 17:22:16 | 000,411,976 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\SNAC64.EXE -- (SNAC)
SRV:64bit: - [2009/07/13 20:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2009/07/13 20:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/13 20:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV - [2012/10/30 09:39:19 | 000,136,784 | ---- | M] (Cisco WebEx LLC) [Auto | Running] -- C:\Windows\SysWOW64\atashost.exe -- (atashost)
SRV - [2012/03/21 16:50:46 | 000,856,064 | ---- | M] (Kaseya International Limited) [Auto | Running] -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\AgentMon.exe -- (KAEMRMNG80234260341244)
SRV - [2011/06/29 18:06:06 | 001,083,800 | ---- | M] (Acronis) [Auto | Running] -- c:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2011/06/29 18:02:26 | 001,894,280 | ---- | M] (Acronis) [Auto | Running] -- c:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe -- (AcronisAgent)
SRV - [2011/06/29 17:44:26 | 004,599,152 | ---- | M] (Acronis) [Auto | Running] -- c:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe -- (MMS)
SRV - [2010/11/20 22:25:07 | 000,487,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe -- (ADWS)
SRV - [2009/07/24 23:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe -- (WinVNC4)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
========== Driver Services (SafeList) ==========
DRV:64bit: - [2012/11/07 11:30:00 | 000,172,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2012/10/12 10:37:53 | 000,971,360 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2012/10/12 10:37:51 | 000,272,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/06/23 10:09:02 | 000,030,792 | ---- | M] (Kaseya) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\KAPFA.sys -- (KAPFA)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 22:24:30 | 000,066,944 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\dfsrro.sys -- (DfsrRo)
DRV:64bit: - [2010/11/20 22:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:64bit: - [2010/11/20 22:24:00 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2010/11/20 22:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 22:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2009/08/25 20:05:48 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2009/08/25 20:05:46 | 000,481,840 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\srtspl64.sys -- (SRTSPL)
DRV:64bit: - [2009/08/25 20:05:44 | 000,443,952 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,051,776 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\dfs.sys -- (DfsDriver)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:45:46 | 000,168,016 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\quota.sys -- (Quota)
DRV:64bit: - [2009/07/13 20:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2009/07/13 20:45:45 | 000,079,936 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\datascrn.sys -- (Datascrn)
DRV:64bit: - [2009/07/13 19:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/06/10 15:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:26 | 000,071,680 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bxnd60a.sys -- (l2nd)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2012/10/18 07:47:26 | 002,084,000 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20121111.008\ex64.sys -- (NAVEX15)
DRV - [2012/10/18 07:47:26 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2012/10/18 07:47:26 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/10/18 07:47:26 | 000,126,112 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20121111.008\eng64.sys -- (NAVENG)
DRV - [2012/10/12 14:33:00 | 000,167,072 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\Symantec.cloud\ccSetx64.sys -- (ccSet_Cloud)
DRV - [2009/08/25 20:05:48 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\srtspx64.sys -- (SRTSPX)
DRV - [2009/08/25 20:05:46 | 000,481,840 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\srtspl64.sys -- (SRTSPL)
DRV - [2009/08/25 20:05:44 | 000,443,952 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysWOW64\drivers\srtsp64.sys -- (SRTSP)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168.10.*
O1 HOSTS File: ([2012/11/12 13:11:16 | 000,000,686 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] c:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [SymantecPaui] C:\Program Files\Symantec.cloud\PlatformAgent\PAUI.exe (Symantec Corporation)
O4 - HKLM..\Run: [AcronisTimounterMonitor] c:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [FtpServer.exe] C:\Program Files (x86)\Sharp\Sharpdesk\FtpServer.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [IndexTray] C:\Program Files (x86)\Sharp\Sharpdesk\IndexTray.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [KASHEMRMNG80234260341244] C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\KaUsrTsk.exe (Kaseya International Limited)
O4 - HKLM..\Run: [SharpTray] C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [TypeRegChecker] C:\Program Files (x86)\Sharp\Sharpdesk\TypeRegChecker.exe (SHARP CORPORATION)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} http://netwatch.emer...c/kaxRemote.dll (kasRmtHlp Class)
O16 - DPF: {B65B1DCC-D421-4F3C-8F8F-909BDD967120} http://netwatch.emer...uginManager.cab (PluginManager Class)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://symantec.web...rt/ieatgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RTC.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8A63EE45-BE58-4760-9BA9-1CAEA3BD1765}: Domain = rtc.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8A63EE45-BE58-4760-9BA9-1CAEA3BD1765}: NameServer = 127.0.0.1,192.168.1.2
O18:64bit: - Protocol\Handler\sds - No CLSID value found
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files (x86)\Sharp\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (pwdssp.dll) - File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2012/11/09 14:01:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/11/09 14:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/11/07 11:29:53 | 000,172,592 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2012/11/07 11:29:46 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2012/11/07 11:28:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec
[2012/11/07 11:28:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2012/11/07 11:28:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2012/11/07 11:00:47 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/10/30 09:43:58 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Roaming\SPE
[2012/10/30 09:39:26 | 000,219,216 | ---- | C] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atsckernel.exe
[2012/10/30 09:39:25 | 000,136,784 | ---- | C] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atashost.exe
[2012/10/30 09:38:50 | 000,000,000 | ---D | C] -- C:\ProgramData\WebEx
[2012/10/30 07:56:55 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Local\NPE
[2012/10/30 07:56:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2012/10/29 12:55:46 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Local\Symantec
[2012/10/29 12:53:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2012/10/29 12:53:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symantec.cloud
[2012/10/29 12:52:57 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\Symantec.cloud
[2012/10/29 12:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec.cloud
[2012/10/29 12:35:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec Hosted Services
[2012/10/29 12:22:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec.cloud
[2012/10/24 09:12:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/10/24 09:12:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/10/15 14:49:37 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Roaming\Macromedia
[2012/10/15 14:49:35 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Roaming\Adobe
[2012/10/15 14:49:25 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2012/10/15 14:49:23 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012/10/15 14:48:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
========== Files - Modified Within 30 Days ==========
[2012/11/12 13:11:16 | 000,000,686 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/11/12 05:31:48 | 000,021,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/12 05:31:48 | 000,021,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/08 10:45:21 | 000,787,988 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/11/08 10:45:21 | 000,671,188 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/11/08 10:45:21 | 000,120,238 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/11/08 10:37:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/07 11:30:00 | 000,172,592 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2012/11/07 11:30:00 | 000,007,440 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2012/11/07 11:30:00 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2012/11/01 07:43:35 | 000,001,994 | -H-- | M] () -- C:\Users\administrator.RTC\Documents\Default.rdp
[2012/10/30 09:39:19 | 000,136,784 | ---- | M] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atashost.exe
[2012/10/30 09:39:17 | 000,219,216 | ---- | M] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atsckernel.exe
[2012/10/29 12:22:51 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/10/29 12:16:31 | 000,804,738 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
========== Files Created - No Company Name ==========
[2012/11/07 11:29:53 | 000,007,440 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2012/11/07 11:29:53 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2012/10/22 13:12:55 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/10/22 13:12:42 | 000,804,738 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/10/12 10:49:17 | 000,323,072 | ---- | C] () -- C:\Windows\SysWow64\hpcc3121.dll
[2012/10/12 09:45:18 | 000,421,286 | ---- | C] () -- C:\Users\administrator.RTC\AppData\Roaming\fontlst2.opf
[2012/10/08 20:12:07 | 000,002,412 | RHS- | C] () -- C:\ProgramData\ntuser.pol
========== ZeroAccess Check ==========
[2009/07/13 23:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 00:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 23:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:24 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
========== LOP Check ==========
[2012/10/09 18:04:32 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\Kaseya
[2012/10/10 17:46:28 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\NASNaviator2
[2012/10/12 09:45:22 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\Sharpdesk
[2012/10/30 09:43:58 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\SPE
========== Purity Check ==========
< End of report >
thanks,
Andrew