I am having trouble in getting rid some sort of virus plaguing my office computer network. I have ensured good protection using Symantec Endpoint Protection solution to keep my server and clients safe form getting hit by viruses. But still something sneeked into the LAN.
Both the server and one of the client pcs are getting infected by many files with .exe extensions within the folders. Eg. New Folder .exe, XYZ .exe inside a folder called XYZ and so on. Only a certain part of the harddisk is getting affected like this. Symantec acts whenever such risks starts multiplying by identifying them as W32.Imaut virus and says the action Cleaned By Deletion has been performed on it. Some 100s of files are cleaned like this twice daily once in the morning and once in the evening by both the Server and Client's symantec package.
I have tried to find help from many sources but never found any so far. Hope this could be the right place to find some solution to this menace. My daily routine is going on well without any interruption by these files, still everyday i feel my network should not go down with these infections.
Server - Windows Server 2008
Clients - Windows XP SP3
Kindly find a OTL log attached from the infected client. Just before I started writing this post the client pc identified the files again and automatically cleaned it.
OTL logfile created on: 09/09/2012 5:30:59 AM - Run 1
OTL by OldTimer - Version 3.2.61.2 Folder = C:\Documents and Settings\WORKS\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy
1.99 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.64% Memory free
3.84 Gb Paging File | 2.70 Gb Available in Paging File | 70.46% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 82.79 Gb Free Space | 84.77% Space Free | Partition Type: NTFS
Drive D: | 368.10 Gb Total Space | 366.76 Gb Free Space | 99.63% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 858.09 Gb Free Space | 92.12% Space Free | Partition Type: NTFS
Computer Name: WORKS | User Name: WORKS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/09/09 05:30:11 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WORKS\Desktop\OTL.exe
PRC - [2012/08/03 15:52:00 | 015,900,672 | ---- | M] (Adobe Systems, Incorporated) -- C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
PRC - [2011/06/17 16:31:10 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/06/17 16:31:08 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2009/07/16 09:05:10 | 000,114,688 | ---- | M] (JME) -- C:\Program Files\jmesoft\hotkey.exe
PRC - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
========== Modules (No Company Name) ==========
MOD - [2009/07/16 09:20:38 | 000,032,768 | ---- | M] () -- C:\Program Files\jmesoft\KeyHook.dll
MOD - [2001/06/29 18:38:20 | 000,712,751 | ---- | M] () -- C:\Program Files\Adobe\Photoshop 7.0\Asn.er.dll
========== Services (SafeList) ==========
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2011/06/17 16:31:10 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/06/17 16:31:10 | 000,280,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/06/17 16:31:08 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/04 22:00:12 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120907.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/08/28 22:02:29 | 000,821,920 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120823.013\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/08/21 21:56:31 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120908.009\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/21 21:56:31 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120908.009\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/09 10:15:59 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/09 10:15:59 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/08/06 18:47:03 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2012/08/06 18:46:02 | 000,092,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SysPlant.sys -- (SysPlant)
DRV - [2011/06/17 16:31:12 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2011/06/17 16:31:12 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/06/17 16:31:12 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/06/17 16:31:12 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
DRV - [2011/06/17 16:31:12 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/06/17 16:31:12 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2011/06/17 16:31:10 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2011/06/17 16:31:10 | 000,023,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SyDvCtrl32.sys -- (SyDvCtrl)
DRV - [2010/09/28 21:20:08 | 006,150,760 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2009/11/18 07:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 07:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/11/06 21:55:08 | 001,590,528 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/10/14 12:29:54 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2009/10/02 07:24:10 | 000,158,408 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fei5132.sys -- (FEIExpress)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityrespo...r/fix_homepage/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://securityrespo...r/fix_homepage/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://securityrespo...r/fix_homepage/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec...._sep_V12_1_MR_0
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2012/09/08 21:44:25 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2001/08/23 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O4 - HKLM..\Run: [jmekey] C:\Program Files\jmesoft\hotkey.exe (JME)
O4 - HKLM..\Run: [Yahoo Messenger] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3FDB8253-FDAF-49B7-B34C-D969FCBB237D}: NameServer = 192.168.1.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\WORKS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\WORKS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/08/03 15:38:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0340450e-ddcb-11e1-90c0-b57d158713c0}\Shell - "" = AutoRun
O33 - MountPoints2\{0340450e-ddcb-11e1-90c0-b57d158713c0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0340450e-ddcb-11e1-90c0-b57d158713c0}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/09/09 05:30:06 | 000,599,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WORKS\Desktop\OTL.exe
[2012/09/09 04:13:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Desktop\do
[2012/09/08 04:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Desktop\SARASHWATHI
[2012/09/02 04:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Desktop\New Folder (2)
[2012/08/12 05:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Local Settings\Application Data\PCHealth
[2012/08/12 05:24:46 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012/08/12 05:17:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2012/08/12 05:15:59 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2012/08/12 05:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2012/08/12 05:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2012/08/12 05:13:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2012/08/12 05:12:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Local Settings\Application Data\Microsoft Help
[2012/08/12 05:12:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2012/08/12 05:12:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2012/08/12 05:12:05 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2012/08/11 23:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RICOH
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/09/09 05:30:11 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WORKS\Desktop\OTL.exe
[2012/09/09 05:29:30 | 001,071,730 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\cpstud.psd
[2012/09/09 04:39:23 | 000,129,386 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\002.jpg
[2012/09/09 04:39:07 | 000,113,777 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\001.jpg
[2012/09/09 03:53:25 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\iMac Public.lnk
[2012/09/09 03:01:36 | 000,360,320 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/09 03:01:36 | 000,056,818 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/09 02:06:59 | 000,000,469 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\Mailing Labels.lnk
[2012/09/09 00:36:29 | 015,371,235 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\ANS Blue 20x20.pdf
[2012/09/08 21:44:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/08 06:41:01 | 000,128,181 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\nv ring side vive.jpg
[2012/09/06 08:09:20 | 000,061,297 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\CP Stud.jpg
[2012/09/06 06:11:03 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\WORKS\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/09/04 21:49:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/03 05:34:03 | 000,066,695 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\antique stud.jpg
[2012/08/31 22:02:38 | 001,133,812 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\Attachments_2012_08_31.zip
[2012/08/30 06:07:33 | 011,936,304 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\without address.tif
[2012/08/30 04:42:58 | 000,002,457 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Document Manager.lnk
[2012/08/25 21:48:23 | 000,006,656 | ---- | M] () -- C:\Documents and Settings\WORKS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/22 05:15:47 | 001,450,900 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\ANS.jpg
[2012/08/21 23:55:09 | 000,358,740 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\WINMAN CHALLAN.jpg
[2012/08/12 22:14:37 | 001,248,610 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\RapaportMarketReport_080912_Weekly.pdf
[2012/08/12 05:28:32 | 000,138,848 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/12 05:25:32 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012/08/11 23:21:47 | 000,000,158 | ---- | M] () -- C:\WINDOWS\ricdb.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/09/09 04:39:22 | 000,129,386 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\002.jpg
[2012/09/09 04:39:04 | 000,113,777 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\001.jpg
[2012/09/09 00:36:28 | 015,371,235 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\ANS Blue 20x20.pdf
[2012/09/08 06:41:00 | 000,128,181 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\nv ring side vive.jpg
[2012/09/06 08:09:30 | 001,071,730 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\cpstud.psd
[2012/09/06 08:09:19 | 000,061,297 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\CP Stud.jpg
[2012/09/06 00:56:51 | 000,066,695 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\antique stud.jpg
[2012/08/31 22:02:37 | 001,133,812 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\Attachments_2012_08_31.zip
[2012/08/30 06:07:25 | 011,936,304 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\without address.tif
[2012/08/22 05:15:39 | 001,450,900 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\ANS.jpg
[2012/08/21 23:55:06 | 000,358,740 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\WINMAN CHALLAN.jpg
[2012/08/12 22:14:36 | 001,248,610 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\RapaportMarketReport_080912_Weekly.pdf
[2012/08/12 05:00:53 | 000,000,469 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\Mailing Labels.lnk
[2012/08/11 23:21:47 | 000,000,158 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2012/08/04 13:33:35 | 000,010,547 | R--- | C] () -- C:\WINDOWS\hpwscr19.dat
[2012/08/04 13:31:36 | 000,176,643 | ---- | C] () -- C:\WINDOWS\hpwins19.dat
[2012/08/04 13:31:35 | 000,000,997 | R--- | C] () -- C:\WINDOWS\hpwmdl19.dat
[2012/08/04 13:19:28 | 000,182,026 | ---- | C] () -- C:\WINDOWS\hpwins21.dat
[2012/08/04 13:19:28 | 000,000,575 | ---- | C] () -- C:\WINDOWS\hpwmdl21.dat
[2012/08/03 20:13:14 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\WORKS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/03 16:01:20 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2012/08/03 16:01:20 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2012/08/03 16:01:01 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2012/08/03 16:01:01 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2012/08/03 16:00:59 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2012/08/03 15:57:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/08/03 15:40:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/08/03 15:27:40 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/08/03 08:20:21 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/08/03 08:18:54 | 000,138,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
========== LOP Check ==========
[2012/08/11 23:21:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RICOH
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 60 bytes -> C:\Documents and Settings\WORKS\Desktop\antique stud.jpg:AFP_AfpInfo
@Alternate Data Stream - 49219 bytes -> C:\Documents and Settings\WORKS\Desktop\antique stud.jpg:AFP_Resource
< End of report >
Look forward to your help......Thanks in advance..... Bashyam.