Clone Mailer/craigslistmailer invasion from Mars.

glhglh · Mar 10, 2013

We really have not used the browsers over the years to protect it, that is why it is still windows 8.

glhglh · Mar 10, 2013

Chrome won't work on the server, do you know of a safe, simple browser?

Broni · Mar 10, 2013

Firefox?

glhglh · Mar 11, 2013

I did get chrome to work, but could not download the eset file ("blocked by computer").

I'll try firefox this evening, but am a bit iffy , the program that installed the Rogue on the computer used firefox.

but if we are clean, I'll delete the chrome and install the firefox.

I did run another OTL (after finding the file exception for the rogue deep in Symantec EPP)

OTL logfile created on: 3/10/2013 7:25:08 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 26.82% Memory free
4.84 Gb Paging File | 1.72 Gb Available in Paging File | 35.47% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.86 Gb Total Space | 7.22 Gb Free Space | 25.92% Space Free | Partition Type: NTFS
Drive E: | 465.64 Gb Total Space | 109.55 Gb Free Space | 23.53% Space Free | Partition Type: NTFS
Drive H: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.73% Space Free | Partition Type: FAT32

Computer Name: HEDCOGASERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/03/09 17:28:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work\OTL.exe
PRC - [2012/11/06 11:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/11/06 11:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2012/01/24 17:21:22 | 000,021,880 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
PRC - [2012/01/24 17:11:56 | 000,705,912 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
PRC - [2012/01/24 17:06:48 | 000,673,144 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
PRC - [2011/11/28 15:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2011/11/28 15:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2011/11/21 11:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2011/09/09 13:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2011/08/26 20:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/08/26 20:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2011/08/10 06:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2011/07/09 16:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2011/06/17 15:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe
PRC - [2011/04/08 14:50:00 | 000,051,104 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\rotatelogs.exe
PRC - [2011/04/08 14:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe
PRC - [2011/03/28 17:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bedbg.exe
PRC - [2011/02/22 18:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
PRC - [2011/02/22 18:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
PRC - [2011/02/16 05:23:48 | 000,145,152 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\jre\bin\java.exe
PRC - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/07/26 22:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe
PRC - [2010/01/27 12:22:02 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/09 12:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\store.exe
PRC - [2007/02/17 07:04:04 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe
PRC - [2007/02/17 07:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 07:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe
PRC - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/17 07:03:39 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/17 07:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2005/09/20 18:53:14 | 000,154,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
PRC - [2005/05/11 21:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
PRC - [2005/03/02 18:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe
PRC - [2004/10/18 10:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
PRC - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
PRC - [2004/10/18 10:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
PRC - [2004/10/18 10:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
PRC - [2004/10/18 10:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
PRC - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
PRC - [2004/04/02 01:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\mad.exe
PRC - [2004/04/02 01:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe
PRC - [2004/04/02 00:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\emsmta.exe
PRC - [2004/04/02 00:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\srsmain.exe
PRC - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\WinVNC.exe

========== Modules (No Company Name) ==========

MOD - [2013/02/13 04:55:01 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll
MOD - [2013/02/13 04:19:06 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2013/02/13 04:16:55 | 000,113,664 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2013/02/13 04:16:39 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2013/01/09 05:12:34 | 000,627,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad737988d5bde126a3b7770eacc51e5b\System.Transactions.ni.dll
MOD - [2013/01/09 05:11:53 | 000,627,712 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.ni.dll
MOD - [2013/01/09 05:11:53 | 000,280,064 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.Wrapper.dll
MOD - [2013/01/09 05:08:51 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll
MOD - [2013/01/09 05:05:00 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/09 05:02:59 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\8462c03b4f10c4624feb95790d6d1e30\System.Data.ni.dll
MOD - [2013/01/09 04:58:34 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/09 04:57:54 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2013/01/09 04:11:10 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2013/01/09 04:11:08 | 000,471,040 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2013/01/09 04:11:05 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2012/01/12 07:00:20 | 000,131,072 | ---- | M] () -- c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\monitoring\b414b2d0\3ba7056a\xp74unmc.dll
MOD - [2012/01/12 04:03:29 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2011/12/26 06:02:43 | 000,258,048 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
MOD - [2007/06/29 09:35:32 | 000,819,200 | ---- | M] () -- c:\windows\assembly\gac\system.web.mobile\1.0.5000.0__b03f5f7f11d50a3a\system.web.mobile.dll
MOD - [2007/06/29 09:35:20 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2007/06/29 09:35:20 | 000,135,168 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
MOD - [2007/06/29 09:35:17 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
MOD - [2007/06/29 09:35:13 | 001,703,936 | ---- | M] () -- c:\windows\assembly\gac\system.design\1.0.5000.0__b03f5f7f11d50a3a\system.design.dll
MOD - [2007/06/29 09:35:12 | 001,298,432 | ---- | M] () -- c:\windows\assembly\gac\system.data\1.0.5000.0__b77a5c561934e089\system.data.dll
MOD - [2007/06/29 09:35:10 | 001,359,872 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2007/06/29 09:35:08 | 000,057,344 | ---- | M] () -- c:\windows\assembly\gac\system.web.regularexpressions\1.0.5000.0__b03f5f7f11d50a3a\system.web.regularexpressions.dll
MOD - [2007/06/29 09:35:07 | 000,241,664 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.dll
MOD - [2007/06/29 09:35:07 | 000,090,112 | ---- | M] () -- c:\windows\assembly\gac\system.directoryservices\1.0.5000.0__b03f5f7f11d50a3a\system.directoryservices.dll
MOD - [2007/06/29 09:35:07 | 000,066,560 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.thunk.dll
MOD - [2007/06/29 09:35:06 | 000,720,896 | ---- | M] () -- c:\windows\assembly\gac\microsoft.jscript\7.0.5000.0__b03f5f7f11d50a3a\microsoft.jscript.dll
MOD - [2007/04/09 12:29:17 | 000,201,728 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\EXMIME.dll
MOD - [2007/01/31 20:51:29 | 001,088,000 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\davex.dll
MOD - [2005/10/31 13:21:37 | 000,105,080 | ---- | M] () -- c:\windows\assembly\gac\system.web.ui.mobilecontrols.adapters\1.1.0.0__b03f5f7f11d50a3a\system.web.ui.mobilecontrols.adapters.dll
MOD - [2005/09/25 17:19:16 | 000,077,824 | ---- | M] () -- c:\windows\assembly\gac\system.configuration.install\1.0.5000.0__b03f5f7f11d50a3a\system.configuration.install.dll
MOD - [2005/09/25 17:19:16 | 000,032,768 | ---- | M] () -- c:\windows\assembly\gac\microsoft.vsa\7.0.5000.0__b03f5f7f11d50a3a\microsoft.vsa.dll
MOD - [2005/09/25 17:19:16 | 000,012,288 | ---- | M] () -- c:\windows\assembly\gac\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll
MOD - [2005/09/25 17:19:16 | 000,007,680 | ---- | M] () -- c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll
MOD - [2005/09/25 17:19:16 | 000,006,144 | ---- | M] () -- c:\windows\assembly\gac\microsoft.visualc\7.0.5000.0__b03f5f7f11d50a3a\microsoft.visualc.dll
MOD - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
MOD - [2005/03/24 19:49:08 | 000,348,160 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll
MOD - [2004/10/18 10:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
MOD - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
MOD - [2004/10/18 10:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
MOD - [2004/10/18 10:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
MOD - [2004/10/18 10:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
MOD - [2004/10/11 23:52:53 | 000,619,520 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\dsaccess.DLL
MOD - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
MOD - [2004/04/01 18:15:00 | 000,063,248 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LSATQ.DLL
MOD - [2003/08/01 19:28:22 | 000,060,928 | ---- | M] () -- C:\Program Files\TightVNC\VNCHooks.dll
MOD - [2003/06/20 15:24:13 | 000,070,144 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Exosal.dll
MOD - [2003/06/03 00:20:24 | 000,084,480 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Epoxy.dll
MOD - [2003/06/03 00:20:24 | 000,028,672 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\tokenm.dll
MOD - [2003/06/02 23:12:51 | 000,192,512 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LisRTL.DLL

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe -- (Smcinst)
SRV - [2012/11/06 11:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/11/06 11:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2012/01/24 17:21:22 | 000,021,880 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe -- (APC Data Service)
SRV - [2012/01/24 17:11:56 | 000,705,912 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2011/11/28 15:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2011/11/28 15:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2011/11/21 11:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2011/10/11 12:49:00 | 000,124,272 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- E:\Program Files\Symantec\Backup Exec\BackupExecManagementService.exe -- (BackupExecManagementService)
SRV - [2011/09/09 13:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2011/08/26 20:26:54 | 000,280,496 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/08/26 20:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/08/26 20:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011/08/10 06:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS)
SRV - [2011/07/09 16:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2011/06/17 15:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2011/05/03 18:27:16 | 003,114,424 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2011/04/08 14:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe -- (semwebsrv)
SRV - [2011/03/28 17:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bedbg.exe -- (bedbg)
SRV - [2011/02/22 18:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe -- (DLOMaintenanceSvc)
SRV - [2011/02/22 18:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe -- (DLOAdminSvcu)
SRV - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/07/26 22:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe -- (SQLANYs_sem5)
SRV - [2007/04/09 12:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\store.exe -- (MSExchangeIS)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:58 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 07:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)
SRV - [2007/02/17 07:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 07:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 07:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/17 07:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/17 07:02:54 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2005/07/22 10:08:50 | 000,040,960 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\SD3Service.exe -- (Supero SD3Service Daemon)
SRV - [2005/07/22 10:02:34 | 000,131,072 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\NTService.exe -- (SuperMicro Health Assistant)
SRV - [2005/05/11 21:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)
SRV - [2005/05/11 21:45:23 | 000,050,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2005/05/11 21:45:23 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2005/04/29 17:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)
SRV - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () [Auto | Running] -- C:\Program Files\3ware\3DM2\3dm2.exe -- (3DM2)
SRV - [2005/03/02 18:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe -- (BMISFA)
SRV - [2005/01/25 19:25:38 | 000,042,776 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\XFR.EXE -- (Intel File Transfer)
SRV - [2005/01/25 19:24:30 | 000,059,168 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\IAO.EXE -- (Intel Alert Originator)
SRV - [2005/01/25 19:24:10 | 000,038,696 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler)
SRV - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe -- (gamscm)
SRV - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\SpySer.exe -- (SpySer)
SRV - [2004/04/02 01:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\mad.exe -- (MSExchangeSA)
SRV - [2004/04/02 01:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2004/04/02 00:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\emsmta.exe -- (MSExchangeMTA)
SRV - [2004/04/02 00:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\srsmain.exe -- (MSExchangeSRS)
SRV - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2003/06/03 00:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Exchsrvr\bin\events.exe -- (MSExchangeES)
SRV - [2001/06/06 11:12:02 | 000,552,960 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\xitami\xiwinnt.exe -- (Xitami)

========== Driver Services (SafeList) ==========

DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - [2013/02/26 12:49:04 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130310.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/02/26 12:49:04 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130310.007\NAVENG.SYS -- (NAVENG)
DRV - [2013/02/26 12:49:03 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013/02/26 12:49:03 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013/01/29 14:06:07 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/11/06 11:55:23 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/09/04 21:34:32 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/08/26 20:51:30 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/26 20:29:38 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/08/26 20:29:34 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2011/08/26 20:29:32 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
DRV - [2011/08/26 20:29:28 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/08/26 20:29:28 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2011/08/26 20:29:26 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/08/26 20:27:34 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2011/08/24 08:42:50 | 000,124,536 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2011/03/14 07:53:42 | 000,229,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2010/09/07 18:34:00 | 000,028,848 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2010/01/27 12:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/01/27 12:22:02 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/08/23 23:00:00 | 000,020,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2007/02/16 23:29:40 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/16 23:06:42 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/16 23:02:56 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/16 22:56:08 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/16 22:51:18 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2005/09/26 14:37:02 | 000,071,168 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\3wareDrv.sys -- (3wareDrv)
DRV - [2005/06/22 12:23:18 | 000,009,984 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\smbus.sys -- (SMBus)
DRV - [2005/01/07 10:03:12 | 000,192,292 | ---- | M] (LSI Logic Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\MegaIDE.sys -- (MegaIDE)
DRV - [2004/06/24 17:38:28 | 000,010,752 | R--- | M] (Intel (R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\svgam.sys -- (svgam)
DRV - [2004/06/10 14:28:58 | 000,014,174 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\SUPERBMC.SYS -- (superbmc)
DRV - [2004/04/02 00:08:21 | 000,195,968 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)
DRV - [2001/06/20 05:05:54 | 000,003,853 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\IsaIoNt.sys -- (ISAIONT)
DRV - [2000/11/12 07:14:18 | 000,003,908 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\memmapnt.sys -- (MemMapNt)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes,DefaultScope = {9630FDCF-65AA-45F7-94F3-933E886905E1}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{84154F03-8976-40C7-912E-621E1193AD1D}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{9630FDCF-65AA-45F7-94F3-933E886905E1}: "URL" = http://www.google.com/search?q={sea...tartIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2013/03/10 00:43:08 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2005/05/11 21:45:23 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O4 - HKLM..\Run: [Display] C:\Program Files\APC\PowerChute Personal Edition\DataCollectionLauncher.exe (Schneider Electric)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe (Constantin Kaplinsky)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)
O4 - Startup: C:\Documents and Settings\backup_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\symantec_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab (DownloadManager Control)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146765840875 (MUWebControl Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Housecall ActiveX 6.5)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} http://hedcogaserver/tsweb/msrdp.cab (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://symantec.webex.com/client/T26L/support/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hedrick.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5DDD41BD-9193-4897-93B5-2A6887F38683}: NameServer = 192.168.1.5
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/25 17:23:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/03/09 16:09:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work
[2013/03/09 14:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\RK_Quarantine
[2013/03/09 12:42:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/03/09 12:42:16 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/03/09 12:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2013/02/24 15:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\MassSender
[2013/02/20 04:34:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2013/02/20 04:33:50 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/02/12 20:54:31 | 000,630,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2013/02/12 20:54:30 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2013/02/12 20:54:29 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2013/02/12 20:54:29 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2013/02/12 20:54:26 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2013/02/12 20:54:21 | 001,212,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2013/02/12 20:54:01 | 006,010,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2012/02/25 00:05:34 | 000,019,832 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\zh_res.dll
[2011/11/16 14:45:59 | 013,923,704 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\PCPE Setup.exe
[2011/11/16 14:45:59 | 001,079,808 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\mfc80u.dll
[2011/11/16 14:45:59 | 000,626,688 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\msvcr80.dll
[2011/11/16 14:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\grm_res.dll
[2011/11/16 14:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\fr_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\pt_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\it_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\es_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\en_res.dll
[2011/11/16 14:45:59 | 000,020,856 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\ru_res.dll
[2011/11/16 14:45:59 | 000,020,344 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\jp_res.dll

========== Files - Modified Within 30 Days ==========

[2013/03/10 19:25:11 | 000,002,584 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2013/03/10 18:54:13 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Collect Server Performance Data.job
[2013/03/10 06:08:31 | 000,004,768 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2013/03/10 06:01:11 | 000,000,562 | ---- | M] () -- C:\WINDOWS\tasks\Small Business Server - Server Status Report - Server Performance Report.job
[2013/03/10 04:31:53 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Collect Usage Data.job
[2013/03/10 01:09:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/03/10 00:59:49 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\ROC_JAN2013_TB_rmv.job
[2013/03/10 00:59:19 | 000,013,744 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/03/10 00:56:04 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2013/03/10 00:41:16 | 3211,243,520 | -HS- | M] () -- C:\hiberfil.sys
[2013/03/09 12:42:29 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 12:13:20 | 000,001,515 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/03/08 13:06:02 | 000,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a5a4616e-2ee7-11da-95a6-806e6f6e6963}.job
[2013/03/08 13:05:04 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{b59eb2dc-2dd0-11da-80e0-806e6f6e6963}.job
[2013/02/19 20:54:21 | 000,001,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2013/02/14 05:24:47 | 000,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/14 04:33:04 | 000,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/13 04:25:24 | 001,107,520 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/13 04:25:24 | 000,316,212 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2013/03/09 12:42:29 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 12:13:17 | 000,001,515 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/02/22 04:49:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/09 05:15:02 | 000,132,832 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/08/17 09:11:07 | 000,060,304 | ---- | C] () -- C:\Documents and Settings\Administrator\g2mdlhlpx.exe
[2012/08/17 09:05:09 | 000,002,871 | ---- | C] () -- C:\Documents and Settings\Administrator\.plugin141_05.trace
[2011/11/16 14:46:05 | 013,338,112 | ---- | C] () -- C:\Documents and Settings\Administrator\PCPE_3.0.1.msi
[2011/11/16 14:45:59 | 000,018,808 | ---- | C] () -- C:\Documents and Settings\Administrator\ResourceReader.dll
[2011/07/06 14:38:29 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/06/20 14:28:14 | 000,036,060 | ---- | C] () -- C:\WINDOWS\System32\BEPerfDll.ini
[2008/02/22 15:58:52 | 000,017,090 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2005/10/31 12:35:21 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/10/31 11:57:05 | 000,004,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2005/09/25 17:19:11 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2007/12/21 15:28:05 | 001,508,352 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 04:02:57 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2007/02/17 07:03:19 | 000,278,016 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

I have accounted for all of the IP addresses from this, the two I was worried about are her voip phones. 192.168.1.201 & 202.

Broni · Mar 11, 2013

I don't see anything malicious there.

but could not download the eset file ("blocked by computer").

I'm not sure what you mean by "blocked by computer"

glhglh · Mar 14, 2013

Don't give up on me Mr. Broni, three 12 hour days, too hard on an old man, I'll work on my wife's servers on Saturday. same with the other ticket. I have tried to defrag, but one only went from 22% to 15 %, I'll try again tonight.

is there an app that might work better on the server?

Broni · Mar 14, 2013

Try this one: http://www.piriform.com/defraggler

glhglh · Mar 17, 2013

I did a defrag, and it helped a bit, but

Yes, I tried to download and install several browsers on the GA server (1st problem). I was able to download and load anything onto the Data server, but I could not use the mapped Data Server drive on the GA server to load a program. From the Data data server, I tried to download several programs from Tech Spot. I keep getting messages saying that the "security settings computer will not allow TechSpot to load, Also get an option to add Tech Spot to the exception list of Symanted Endpoint. A popup also shows up offering to add Tech Spot to the exceptions list, but even though the list includes all sites that start http: it says it will only allow https:, that does not good.of allow a download.

I checked all of the security settings on IE (even put them on "low" settings and tried again), blocked.

Any ideas?

glhglh · Mar 17, 2013

The DAta server has been frozen for about an hour, so I just started a hard close down and reboot. the boot takes about 10 minutes.

glhglh · Mar 17, 2013

Just performed this update: (It started with the reboot), and it is rebooting again.

this is what it loaded:

Downloading Security Update for Windows Server 2003 (KB2807986) (update 1 of 1)... done!
Initializing installation... done!
Installing Security Update for Windows Server 2003 (KB2807986) (update 1 of 1)...

Broni · Mar 17, 2013

What are the current issues if any?

glhglh · Mar 17, 2013

These are the messages I've been fighting:

"You are attempting t5o download a file from asige that is not part of your trusted sites and that might be different from the website you are vewing:
http://www.techspot.com
Then, If you trust this website, you can lower security settings for the sige by adding it to the Trusted sites zone. If you know the website is on your local intranet, review help for instructions on adding the site to the local intranet zone insteas.
Important: adding this website to the Trusted sites zone will oower the settings for all content from this website for all applications, including Internet Explorer.
then after setting all the Internet Explorer settings to the lowest possible level, adding Techspot.com to the "trusted sties", and rebooting. when I tryed to download the firefox browser from the downloads section, I get a message at the
To haep protect your security, Interent Ixplorer blocke this site from downloadint files to your computer, click here for options.
the the only optio is to download, and it is a circle.

SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Help\ClientHelp.chm
Event Info: Set Attributes File
ActionTaken: Logged
Actor Process: C:\WINDOWS\SYSTEM32\CIDAEMON.EXE (PID 7932)
Time: Sunday, March 17, 2013 12:32:09 AM

But, by working on it in the morning (as opposed to late after a long day), I was able to download to the Data Server, use the Mapped drive to save the Firefox installation program to the GA Server Drive E, then Install it onto drive E:, and load it into the E: program files. Then start it, and get to Eset, then play the same game and load eset onto the GA server update, and finally it is running on the GA server.

I'll report when it is completed

glhglh · Mar 18, 2013

Eset is still running. It shows one found. something like win32/opencandy application.

It probably won't be done running till tomorrow. It is a very big and old and slow hard disk.

glhglh · Mar 18, 2013

On the Data server, eset found one:
E:\Company\1 from bgm to glh\siw-setup.exe Win32/OpenCandy application cleaned by deleting - quarantined.

and deleted it.

Broni · Mar 18, 2013

You should be good to go.

glhglh · Mar 18, 2013

Thank You Very Much for your Help & patience!

Broni · Mar 18, 2013

You're very welcome

TechSpot

Welcome to TechSpot

Clone Mailer/craigslistmailer invasion from Mars.

glhglh TechSpot Maniac Posts: 316

glhglh TechSpot Maniac Posts: 316

Broni Malware Annihilator Posts: 39,288 +175

glhglh TechSpot Maniac Posts: 316

Broni Malware Annihilator Posts: 39,288 +175

glhglh TechSpot Maniac Posts: 316

Broni Malware Annihilator Posts: 39,288 +175

glhglh TechSpot Maniac Posts: 316

glhglh TechSpot Maniac Posts: 316

glhglh TechSpot Maniac Posts: 316

Broni Malware Annihilator Posts: 39,288 +175

glhglh TechSpot Maniac Posts: 316

glhglh TechSpot Maniac Posts: 316

glhglh TechSpot Maniac Posts: 316

Broni Malware Annihilator Posts: 39,288 +175

glhglh TechSpot Maniac Posts: 316

Broni Malware Annihilator Posts: 39,288 +175

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.