Solved Spreading problems in network?

glhglh

Posts: 701   +0
On the data server:
RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP 64 / Windows Home Server / Windows Server 2003 (5.2.3790 Service Pack 2) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 03/09/2013 13:52:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x8094F21A -> HOOKED (Unknown @ 0x8A868B08)
SSDT[14] : NtAlertThread @ 0x8094F1CA -> HOOKED (Unknown @ 0x8A82F7B0)
SSDT[18] : NtAllocateVirtualMemory @ 0x80843EA6 -> HOOKED (Unknown @ 0x8A869F38)
SSDT[21] : NtAssignProcessToJobObject @ 0x80951714 -> HOOKED (Unknown @ 0x8A0DD580)
SSDT[33] : NtConnectPort @ 0x809202D8 -> HOOKED (Unknown @ 0x8A8C8170)
SSDT[45] : NtCreateMutant @ 0x80994804 -> HOOKED (Unknown @ 0x8A869060)
SSDT[54] : NtCreateSymbolicLinkObject @ 0x8093D6BA -> HOOKED (Unknown @ 0x8A869620)
SSDT[55] : NtCreateThread @ 0x8094AE46 -> HOOKED (Unknown @ 0x8A867A58)
SSDT[59] : NtDebugActiveProcess @ 0x809A186A -> HOOKED (Unknown @ 0x8A0DD6D0)
SSDT[71] : NtDuplicateObject @ 0x8093629A -> HOOKED (Unknown @ 0x8A830708)
SSDT[87] : NtFreeVirtualMemory @ 0x80857640 -> HOOKED (Unknown @ 0x8A830A98)
SSDT[93] : NtImpersonateAnonymousToken @ 0x80974910 -> HOOKED (Unknown @ 0x8A869150)
SSDT[95] : NtImpersonateThread @ 0x809525E2 -> HOOKED (Unknown @ 0x8A868A28)
SSDT[101] : NtLoadDriver @ 0x808FA04E -> HOOKED (Unknown @ 0x8B742E10)
SSDT[113] : NtMapViewOfSection @ 0x8092D4AC -> HOOKED (Unknown @ 0x8A82F350)
SSDT[120] : NtOpenEvent @ 0x8098BBE6 -> HOOKED (Unknown @ 0x8A0DE130)
SSDT[128] : LdrShutdownThread @ 0x80944A68 -> HOOKED (Unknown @ 0x8A0DC008)
SSDT[129] : NtOpenProcessToken @ 0x80968E04 -> HOOKED (Unknown @ 0x8A830648)
SSDT[131] : NtOpenSection @ 0x809268C6 -> HOOKED (Unknown @ 0x8A17B2D0)
SSDT[134] : NtOpenThread @ 0x80944CF6 -> HOOKED (Unknown @ 0x8A0DC090)
SSDT[143] : NtProtectVirtualMemory @ 0x80931D92 -> HOOKED (Unknown @ 0x8A0DD490)
SSDT[214] : NtResumeThread @ 0x8094F058 -> HOOKED (Unknown @ 0x8A82F890)
SSDT[221] : NtSetContextThread @ 0x8094CA2A -> HOOKED (Unknown @ 0x8A8206F8)
SSDT[237] : NtSetInformationProcess @ 0x8094792A -> HOOKED (Unknown @ 0x8A8207D8)
SSDT[249] : NtSetSystemInformation @ 0x8098DB5E -> HOOKED (Unknown @ 0x8A0DD7B0)
SSDT[262] : NtSuspendProcess @ 0x8094F11E -> HOOKED (Unknown @ 0x8A0DE050)
SSDT[263] : NtSuspendThread @ 0x8094EF94 -> HOOKED (Unknown @ 0x8A726B68)
SSDT[266] : NtTerminateProcess @ 0x8094C0AC -> HOOKED (Unknown @ 0x8A867B58)
SSDT[267] : NtTerminateThread @ 0x8094C2B8 -> HOOKED (Unknown @ 0x8A726C48)
SSDT[277] : NtUnmapViewOfSection @ 0x809234AE -> HOOKED (Unknown @ 0x8A82F270)
SSDT[287] : NtWriteVirtualMemory @ 0x8092F23E -> HOOKED (Unknown @ 0x8A830B68)
S_SSDT[306] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x89F55E70)
S_SSDT[382] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8AEE21B0)
S_SSDT[413] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8AF9AAD8)
S_SSDT[415] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8AB6A8D0)
S_SSDT[427] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8AEDD610)
S_SSDT[459] : NtUserMessageCall -> HOOKED (Unknown @ 0x8B16FD50)
S_SSDT[474] : NtUserPostMessage -> HOOKED (Unknown @ 0x8ABB0898)
S_SSDT[475] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8ABB0E78)
S_SSDT[545] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8B113750)
S_SSDT[548] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A862350)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: MEGARAID LD 0 MEGARAID SCSI Disk Device +++++
--- User ---
[MBR] 225e14d735491d518af914c6eb394eec
[BSP] c0f4a3eb45f0f9f92f7c32c02a508030 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 34993 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: MEGARAID LD 1 MEGARAID SCSI Disk Device +++++
--- User ---
[MBR] 0c3bd885ee03e41a0a7017290d717a78
[BSP] b7baaa273867eb9f01d412bd2a06005e : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 280015 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[3]_D_03092013_02d1352.txt >>
RKreport[1]_S_03092013_02d1348.txt ; RKreport[2]_D_03092013_02d1351.txt ; RKreport[3]_D_03092013_02d1352.txt
 
The Mbar log:
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.09.12

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HEDCODSERVER [administrator]

3/9/2013 2:19:16 PM
mbar-log-2013-03-09 (14-19-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 27777
Time elapsed: 14 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
and the Mbar system log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1021

(c) Malwarebytes Corporation 2011-2012

OS version: 5.2.3790 Windows Server 2003 Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.000000 GHz
Memory total: 4293648384, free: 2918125568

------------ Kernel report ------------
03/09/2013 14:04:11
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
volsnap.sys
PartMgr.sys
atapi.sys
iaStor.sys
mraid35x.sys
\WINDOWS\system32\drivers\SCSIPORT.SYS
adpu320.sys
AACmgt.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
SYMDS.SYS
SYMEFA.SYS
Dfs.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
crcdisk.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\EG1032xp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\ati2mpad.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\watchdog.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\point32.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\teefer.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\pdfsd.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_mraid35x.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2drad.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\VirtFile.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\TDTCP.SYS
\SystemRoot\System32\Drivers\RDPWD.SYS
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSxpx86.sys
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVEX15.SYS
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVENG.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR12
Upper Device Object: 0xffffffff88efa1e0
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000080\
Lower Device Object: 0xffffffff8908b220
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8b71aab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\mraid35x1Port2Path3Target1Lun0\
Lower Device Object: 0xffffffff8b71d030
Lower Device Driver Name: \Driver\mraid35x\
Driver name found: mraid35x
Initialization returned 0x0
Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b71c900
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\mraid35x1Port2Path3Target0Lun0\
Lower Device Object: 0xffffffff8b69f030
Lower Device Driver Name: \Driver\mraid35x\
Driver name found: mraid35x
Downloaded database version: v2013.03.09.12
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b71c900, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b721df8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b71c900, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b69f030, DeviceName: \Device\Scsi\mraid35x1Port2Path3Target0Lun0\, DriverName: \Driver\mraid35x\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffee1d5480, 0xffffffff8b71c900, 0xffffffff86964268
Lower DeviceData: 0xffffffffe14d8428, 0xffffffff8b69f030, 0xffffffff8a51fd40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8200820

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 71665902
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 36702257152 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-71664096-71684096)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8b71aab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b71a880, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b71aab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b71d030, DeviceName: \Device\Scsi\mraid35x1Port2Path3Target1Lun0\, DriverName: \Driver\mraid35x\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe5286768, 0xffffffff8b71aab8, 0xffffffff888c8350
Lower DeviceData: 0xffffffffecf1d348, 0xffffffff8b71d030, 0xffffffff86ffac98
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: A250A25

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 573472242

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 293628542976 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
<<<2>>>
Device number: 1, partition: 1
<<<3>>>
Volume: D:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Scan finished
=======================================
 
Looks clean so far...

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
The GA server is still running:

OTL Scan of DataServer:
OTL logfile created on: 3/9/2013 5:49:38 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work
Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.86 Gb Available Physical Memory | 71.63% Memory free
5.83 Gb Paging File | 4.80 Gb Available in Paging File | 82.27% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.17 Gb Total Space | 6.52 Gb Free Space | 19.09% Space Free | Partition Type: NTFS
Drive D: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS
Drive F: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.73% Space Free | Partition Type: FAT32
Drive O: | 465.64 Gb Total Space | 97.01 Gb Free Space | 20.83% Space Free | Partition Type: NTFS
Drive R: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS

Computer Name: HEDCODSERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/03/09 17:28:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work\OTL.exe
PRC - [2012/01/30 04:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2011/12/11 12:05:32 | 009,430,200 | ---- | M] (Schwab Performance Technologies) -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\SPTServer.exe
PRC - [2011/08/26 19:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/08/26 19:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2011/08/10 05:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2011/04/02 10:50:00 | 001,270,640 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
PRC - [2011/03/28 16:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe
PRC - [2010/12/10 18:29:30 | 029,293,408 | ---- | M] (Microsoft Corporation) -- d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/07/21 17:00:12 | 000,143,144 | ---- | M] (Vale Software) -- c:\junxure\Backup\Agent\vswSQLEJS.exe
PRC - [2007/02/17 06:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 06:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/17 06:03:39 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/17 06:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2004/10/19 09:01:42 | 000,118,784 | ---- | M] () -- C:\Program Files\MegaRAID\rserver\Raidserv.exe
PRC - [2004/09/01 10:00:24 | 000,163,328 | ---- | M] () -- C:\WINDOWS\system32\Megaserv.exe
PRC - [2003/06/23 15:03:26 | 000,162,044 | ---- | M] () -- C:\Program Files\MegaRAID\regserv\Reg_serv.exe
PRC - [2003/06/12 14:12:16 | 000,040,960 | R--- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\FlushServ.exe
PRC - [2000/06/01 08:41:08 | 000,090,112 | ---- | M] () -- C:\ivupdate\IVM.exe


========== Modules (No Company Name) ==========

MOD - [2013/02/14 03:13:05 | 000,141,312 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\5571f6ece2abdda5305bdd3a91bb105c\System.Configuration.Install.ni.dll
MOD - [2013/02/14 03:10:33 | 012,433,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ba12e418b906593b7c9c18f971f36bf9\System.Windows.Forms.ni.dll
MOD - [2013/02/14 03:04:50 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2013/01/10 03:30:43 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll
MOD - [2013/01/10 03:29:12 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/10 03:28:41 | 001,593,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\7782f356a838c403b4a8e9c80df5a577\System.Drawing.ni.dll
MOD - [2013/01/10 03:28:17 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\8462c03b4f10c4624feb95790d6d1e30\System.Data.ni.dll
MOD - [2013/01/10 03:28:09 | 002,295,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\edbf4e4a55e63b9fbf0b0b40cba13063\System.Core.ni.dll
MOD - [2013/01/10 03:28:05 | 002,146,304 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ReachFramework\64ad3d6ccdc3afa7919528cc5a0143a6\ReachFramework.ni.dll
MOD - [2013/01/10 03:27:54 | 014,329,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2abe0b9f0e996273614f4cf1f6808eed\PresentationFramework.ni.dll
MOD - [2013/01/10 03:27:21 | 012,218,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\2e26794770e6d33cf79a7f8daa4a48c3\PresentationCore.ni.dll
MOD - [2013/01/10 03:27:01 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\4b889e41364baff1e456817b4777b610\WindowsBase.ni.dll
MOD - [2013/01/10 03:26:51 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/10 03:26:36 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2011/10/14 06:11:14 | 000,249,856 | ---- | M] () -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\hysdba32.dll
MOD - [2011/10/14 06:11:14 | 000,196,608 | ---- | M] () -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\c4dll32.dll
MOD - [2011/05/18 09:15:12 | 000,075,416 | ---- | M] () -- C:\WINDOWS\system32\PDVFSNP.dll
MOD - [2007/08/27 11:35:34 | 000,090,112 | ---- | M] () -- C:\ivupdate\EUConfig.dll
MOD - [2004/10/19 09:01:42 | 000,118,784 | ---- | M] () -- C:\Program Files\MegaRAID\rserver\Raidserv.exe
MOD - [2004/09/01 10:00:24 | 000,163,328 | ---- | M] () -- C:\WINDOWS\system32\Megaserv.exe
MOD - [2003/06/23 15:03:26 | 000,162,044 | ---- | M] () -- C:\Program Files\MegaRAID\regserv\Reg_serv.exe
MOD - [2000/06/01 08:41:08 | 000,090,112 | ---- | M] () -- C:\ivupdate\IVM.exe


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2012/01/30 04:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2011/12/11 12:05:32 | 009,430,200 | ---- | M] (Schwab Performance Technologies) [Auto | Running] -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\SPTServer.exe -- (SPTServer)
SRV - [2011/08/26 19:26:54 | 000,280,496 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/08/26 19:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/08/26 19:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011/08/10 05:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS)
SRV - [2011/05/18 09:15:24 | 000,194,200 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Symantec\Backup Exec\RAWS\PDVFSService.exe -- (PDVFSService)
SRV - [2011/04/02 10:50:00 | 001,270,640 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2011/03/28 16:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe -- (bedbg)
SRV - [2010/12/10 18:29:30 | 029,293,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS)
SRV - [2009/07/13 11:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/07/21 17:00:12 | 000,143,144 | ---- | M] (Vale Software) [Auto | Running] -- c:\junxure\Backup\Agent\vswSQLEJS.exe -- (vswSQLEJobServer)
SRV - [2007/02/17 06:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 06:03:58 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 06:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 06:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 06:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 06:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2004/11/11 10:46:46 | 000,053,248 | ---- | M] (Adaptec Incorporated) [Auto | Stopped] -- C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe -- (AdaptecStorageManagerAgent)
SRV - [2004/10/19 09:01:42 | 000,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\MegaRAID\rserver\Raidserv.exe -- (RAID_SERVER)
SRV - [2004/09/01 10:00:24 | 000,163,328 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\Megaserv.exe -- (MegaServ)
SRV - [2003/06/23 15:03:26 | 000,162,044 | ---- | M] () [Auto | Running] -- C:\Program Files\MegaRAID\regserv\Reg_serv.exe -- (REG_SERVER)
SRV - [2003/06/12 14:12:16 | 000,040,960 | R--- | M] (American Megatrends Inc.) [Auto | Running] -- C:\WINDOWS\system32\FlushServ.exe -- (FlushService)
SRV - [2003/03/25 04:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2003/03/25 04:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- a -- (vsdatant)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/03/09 14:04:10 | 000,035,144 | ---- | M] () [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2013/02/19 10:41:05 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/02/19 10:41:05 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVENG.SYS -- (NAVENG)
DRV - [2013/01/29 13:02:40 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/12/13 03:51:26 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/08/08 22:41:22 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 22:41:22 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/08/26 19:50:19 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/26 19:29:38 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/08/26 19:29:34 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2011/08/26 19:29:32 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
DRV - [2011/08/26 19:29:28 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/08/26 19:29:28 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2011/08/26 19:29:26 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/08/26 19:27:34 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2011/05/18 09:15:12 | 000,075,416 | ---- | M] () [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\PDVFSNP.dll -- (PDVFSNP)
DRV - [2011/03/01 14:00:06 | 000,071,480 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2011/02/15 11:09:08 | 000,064,056 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\pdfsd.sys -- (PDVFSDriver)
DRV - [2010/04/03 11:02:54 | 000,240,608 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RsFx0150.sys -- (RsFx0150)
DRV - [2008/06/24 07:52:20 | 000,032,384 | R--- | M] (ASIX Electronics Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ax88772.sys -- (AX88772)
DRV - [2007/02/16 22:29:40 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/16 22:06:42 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/16 22:02:56 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/16 21:51:18 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2005/01/31 18:20:50 | 000,071,040 | R--- | M] (Linksys, A Division of Cisco Systems, Inc ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EG1032xp.sys -- (RTL8023xp)
DRV - [2004/11/08 11:38:44 | 000,093,847 | R--- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aacmgt.sys -- (AACmgt)
DRV - [2003/03/24 13:54:06 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/softAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2013/02/19 19:11:29 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2003/03/25 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe File not found
O4 - HKLM..\RunOnce: [Z1] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\administrator\Start Menu\Programs\Startup\IVM.lnk = C:\ivupdate\IVM.exe ()
O4 - Startup: C:\Documents and Settings\administrator.HEDRICK\Start Menu\Programs\Startup\IVM.lnk = C:\ivupdate\IVM.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: microsoft.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: tightvnc.com ([www] http in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130793298742 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130864858964 (MUWebControl Class)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://securemeeting.schwab.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupControlXP Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A6917D6-9F29-4112-82B9-EFBCB75C1A95}: NameServer = 192.168.1.5,192.168.1.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3038AF57-FF8E-4D1E-9C07-3C361292061E}: NameServer = 192.168.1.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D30A9A8-A4BF-4B83-8AC8-759AEF697CBC}: NameServer = 192.168.1.5
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/31 12:45:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/03/09 14:04:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/03/09 14:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work
[2013/03/09 13:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Desktop\RK_Quarantine
[2007/12/23 08:58:18 | 000,140,824 | ---- | C] (MAPILab Ltd. & Add-in Express Ltd.) -- C:\Program Files\Common Files\secman.dll

========== Files - Modified Within 30 Days ==========

[2013/03/09 14:04:10 | 000,035,144 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/03/09 06:04:04 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\SDD_Backup Download - catch any late files.job
[2013/03/09 05:30:04 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\SDD_Daily Download.job
[2013/03/08 19:37:10 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Fri.job
[2013/03/08 19:25:20 | 000,000,216 | ---- | M] () -- C:\WINDOWS\tasks\restart_SPT.job
[2013/03/08 12:00:05 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a3266a68-4a07-11da-ac22-806e6f6e6963}.job
[2013/03/08 12:00:01 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a3266a67-4a07-11da-ac22-806e6f6e6963}.job
[2013/03/07 19:36:58 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\PC-Thur.job
[2013/03/06 19:36:52 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Wed.job
[2013/03/05 19:36:58 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Tue.job
[2013/03/04 19:36:55 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Mon.job
[2013/03/03 19:37:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Sun.job
[2013/03/02 19:37:21 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Sat.job
[2013/02/19 19:15:55 | 000,827,746 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/19 19:15:55 | 000,203,310 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/19 19:13:46 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/19 19:10:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/14 03:37:42 | 000,106,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/14 03:12:40 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/11 13:43:35 | 000,012,946 | ---- | M] () -- C:\WINDOWS\HYS.INI

========== Files Created - No Company Name ==========

[2013/03/09 14:04:10 | 000,035,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/01/10 03:41:51 | 000,068,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/10/17 07:17:22 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\_regtlb.dll
[2011/08/31 09:57:04 | 000,000,106 | ---- | C] () -- C:\Documents and Settings\administrator\Restart_SPT.bat
[2011/05/18 09:15:12 | 000,075,416 | ---- | C] () -- C:\WINDOWS\System32\PDVFSNP.dll
[2010/04/23 08:41:12 | 000,004,343 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2009/01/08 10:38:42 | 000,741,376 | ---- | C] () -- C:\Documents and Settings\administrator\Local Settings\Application Data\filesync.metadata
[2005/10/31 13:31:56 | 000,004,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2005/10/31 12:43:14 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2007/12/21 14:28:05 | 001,508,352 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 03:02:57 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2007/02/17 06:03:19 | 000,278,016 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2011/06/24 13:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\CRM Software
[2009/08/05 12:28:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Juniper Networks
[2009/08/05 12:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2008/03/12 14:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Schwab Performance Technologies

========== Purity Check ==========



< End of report >
 
The Extras:
OTL Extras logfile created on: 3/9/2013 5:49:38 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work
Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.86 Gb Available Physical Memory | 71.63% Memory free
5.83 Gb Paging File | 4.80 Gb Available in Paging File | 82.27% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.17 Gb Total Space | 6.52 Gb Free Space | 19.09% Space Free | Partition Type: NTFS
Drive D: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS
Drive F: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.73% Space Free | Partition Type: FAT32
Drive O: | 465.64 Gb Total Space | 97.01 Gb Free Space | 20.83% Space Free | Partition Type: NTFS
Drive R: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS

Computer Name: HEDCODSERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe" = C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe:*:Enabled:Backup Exec Remote Agent for Windows Systems -- (Symantec Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe" = C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe:*:Enabled:Backup Exec Remote Agent for Windows Systems -- (Symantec Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{020617D7-2F72-4D02-BF59-A5CBC1761177}" = SQL Server 2008 R2 Management Studio
"{03CAB33F-D1C2-48C6-8766-DAE84DFC25FE}" = Microsoft Sync Framework Services v1.0 (x86)
"{046755CA-F677-4B7F-AF9A-6AB295A02A30}" = Microsoft SQL Server 2008 R2 Native Client
"{07C8EE28-7542-4D67-AC01-48CA807AB03E}" = Symantec Backup Exec (Hotfix 339930)
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{121475F5-2598-4574-8801-8F6B3D6A99BB}" = SQL Server 2008 R2 Management Studio
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2CCF7567-540B-4FA5-A778-968F7433D11E}_is1" = Junxure SQL Express Agent
"{3A9FC03D-C685-4831-94CF-4EDFD3749497}" = Microsoft SQL Server Compact 3.5 SP2 ENU
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4112625F-2D38-49EF-924F-48511BC5CD34}" = SQL Server 2008 R2 Database Engine Services
"{47BE41E6-2F0F-4D17-9C2D-3850FFD9D405}" = Microsoft SQL Server VSS Writer
"{4C9D82EB-9001-4E59-8F64-0BEEE5F4A30A}" = SQL Server 2008 R2 Database Engine Shared
"{4ECF4BDC-8387-329A-ABE9-CF5798F84BB2}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU
"{51E00B59-E24E-4D6A-81AD-94694BADD5CF}" = SQLXML 3.0
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56F39DA5-6287-4FD4-BCA4-870F8ABBFBCE}" = Symantec Backup Exec Remote Agent for Windows Systems
"{57B00665-DC8A-44AF-8610-3EE12C89F6EF}" = PortfolioCenter
"{5AD32821-D80C-4F7B-A3EB-A61ABF7C9394}" = PortfolioCenter Management Console
"{63934E99-A4F7-478C-8BB0-259BB9D78FFF}" = Microsoft Report Viewer Redistributable 2005
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{76866BE3-B2C7-40BB-B267-927792AED0C3}" = Microsoft SQL Server 2008 R2 Setup (English)
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77427A09-C875-4B1E-9054-29FACABD4FEF}" = PortfolioCenter Database Components
"{7AA60015-4BAD-4146-9DB2-8AA66762EC54}" = Microsoft SQLXML 4.0 SP1
"{7C8EAD2B-A954-4F73-AAFC-C3EC60D49ADA}" = Microsoft SQL Server 2008 R2 RsFx Driver
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{879FFED4-A41B-4486-8F9E-87CAE3B37516}" = Junxure Desktop
"{8BD7AB08-09D5-4519-A6F2-A72381B2EC4B}" = Symantec Backup Exec (Hotfix 345316)
"{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003
"{913E1F2D-5A32-4D18-B983-640374D81448}" = JxPublicObject
"{93998800-1608-403F-9A51-420A77D23C25}" = Sql Server Customer Experience Improvement Program
"{94251E15-F03A-42CF-B762-6A75B1A0790B}" = Adaptec Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}" = Symantec Endpoint Protection
"{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}" = Microsoft SQL Server System CLR Types
"{A8BD5A60-E843-46DC-8271-ABF20756BE0F}" = Microsoft Sync Framework Runtime v1.0 (x86)
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AFDFC350-C142-4790-BE12-8357AECD028F}" = SyncToy 2.0 (x86)
"{B5688129-7595-4E5B-9990-CEF981A31264}" = SyncToy
"{B692E59A-055C-43B7-BE0A-9C2FE0AB88B6}" = Microsoft SQL Server 2008 R2 Management Objects
"{B8E9F8A1-9F4D-43D5-ABD6-1DF067FAA469}" = SQL Server 2008 R2 Database Engine Services
"{BF9BF038-FE03-429D-9B26-2FA0FD756052}" = Microsoft SQL Server Browser
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C186FF44-DF7E-11D3-9B04-0080C8D99A32}" = Power Console Plus Package
"{C8885E66-9862-4CEE-ADC4-F4769598C795}" = VERITAS Update
"{CACEA8C8-3D38-4F51-953D-1E6FC3346FEF}" = SQL Server 2008 R2 Common Files
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D21BC5B2-CBAC-48FA-A701-B5A63C1CA7B8}" = Microsoft SQL Server 2008 R2 Policies
"{D428AB95-35B2-4868-B656-5C316E25EC69}" = SQL Server 2008 R2 Database Engine Services
"{D441BD04-E548-4F8E-97A4-1B66135BAAA8}" = Microsoft SQL Server 2008 Setup Support Files
"{D6D7030D-E04C-4CCA-98DD-B9B51EDE5845}" = Junxure7
"{DDFD8348-058C-4F4B-85E5-6D740D4AB3FE}" = Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
"{DF781E6F-BF29-4340-BEFB-09F7511B424D}" = SQL Server 2008 R2 Database Engine Services
"{EBC91840-41E1-4CC3-AC11-0B889546223C}" = Microsoft IntelliPoint 5.5
"{F021CC0C-21C3-4038-AA4A-6E3CBC669CE8}" = SQL Server 2008 R2 Database Engine Shared
"{FC835376-FF3B-4CAA-83E0-2148B3FB7C98}" = SQL Server 2008 R2 Common Files
"CCleaner" = CCleaner
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{57B00665-DC8A-44AF-8610-3EE12C89F6EF}" = PortfolioCenter
"InstallShield_{5AD32821-D80C-4F7B-A3EB-A61ABF7C9394}" = PortfolioCenter Management Console
"InstallShield_{77427A09-C875-4B1E-9054-29FACABD4FEF}" = PortfolioCenter Database Components
"InstallShield_{94251E15-F03A-42CF-B762-6A75B1A0790B}" = Adaptec Storage Manager
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Report Viewer Redistributable 2005" = Microsoft Report Viewer Redistributable 2005
"Microsoft Report Viewer Redistributable 2008 (KB971119)" = Microsoft Report Viewer Redistributable 2008 SP1
"Microsoft SQL Server 10" = Microsoft SQL Server 2008 R2
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft SQL Server 2008 R2" = Microsoft SQL Server 2008 R2
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"Remote Agent for Windows Servers" = Symantec Backup Exec Remote Agent for Windows Systems
"TightVNC_is1" = TightVNC 1.3.10
"WIC" = Windows Imaging Component
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ebb9ba9810bf3c43" = Schwab Data Delivery
"Juniper Secure Meeting 6.2.0" = Juniper Networks Secure Meeting 6.2.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2/19/2013 9:25:37 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
ActionTaken:
Logged Actor Process: C:\WINDOWS\SYSTEM32\DRWTSN32.EXE (PID 4160) Time: Tuesday,
February 19, 2013 5:25:37 PM

Error - 2/19/2013 11:04:24 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
ActionTaken:
Logged Actor Process: C:\DOWNLOADS\TFC.EXE (PID 768) Time: Tuesday, February 19,
2013 7:04:24 PM

Error - 2/19/2013 11:04:24 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Event Info: Open Process ActionTaken:
Logged Actor Process: C:\DOWNLOADS\TFC.EXE (PID 768) Time: Tuesday, February 19,
2013 7:04:24 PM

Error - 2/19/2013 11:04:24 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
ActionTaken:
Logged Actor Process: C:\DOWNLOADS\TFC.EXE (PID 768) Time: Tuesday, February 19,
2013 7:04:24 PM

Error - 3/9/2013 5:46:41 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
ActionTaken:
Logged Actor Process: F:\SERVER\ROGUEKILLER.EXE (PID 7484) Time: Saturday, March
09, 2013 1:46:41 PM

Error - 3/9/2013 5:46:41 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Event Info: Open Process ActionTaken:
Logged Actor Process: F:\SERVER\ROGUEKILLER.EXE (PID 7484) Time: Saturday, March
09, 2013 1:46:41 PM

Error - 3/9/2013 5:46:41 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
ActionTaken:
Logged Actor Process: F:\SERVER\ROGUEKILLER.EXE (PID 7484) Time: Saturday, March
09, 2013 1:46:41 PM

Error - 3/9/2013 6:05:25 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
ActionTaken:
Logged Actor Process: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\3-10-2013
VIRUS WORK\MBAR-1.01.0.1021\MBAR\MBAR.EXE (PID 7308) Time: Saturday, March 09,
2013 2:05:25 PM

Error - 3/9/2013 6:05:25 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Event Info: Open Process ActionTaken:
Logged Actor Process: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\3-10-2013
VIRUS WORK\MBAR-1.01.0.1021\MBAR\MBAR.EXE (PID 7308) Time: Saturday, March 09,
2013 2:05:25 PM

Error - 3/9/2013 6:05:25 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
ActionTaken:
Logged Actor Process: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\3-10-2013
VIRUS WORK\MBAR-1.01.0.1021\MBAR\MBAR.EXE (PID 7308) Time: Saturday, March 09,
2013 2:05:25 PM

[ Directory Service Events ]
Error - 11/16/2011 5:04:28 PM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 11/16/2011 6:24:25 PM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 1/9/2012 5:34:43 AM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 8/6/2012 10:46:12 PM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
Description =

[ DNS Server Events ]
Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.hedrick.local. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone hedrick.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.hedrick.local. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone hedrick.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

[ File Replication Service Events ]
Error - 2/9/2011 11:34:20 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path c: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a c:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 2/9/2011 11:34:20 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path C: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a C:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 2/10/2011 7:25:56 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path c: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a c:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 2/10/2011 7:25:56 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path C: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a C:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 3/1/2011 12:43:31 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path c: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a c:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 3/1/2011 12:43:31 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path C: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a C:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 12/29/2011 2:46:31 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path c: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a c:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 12/29/2011 2:46:31 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path C: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a C:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

[ System Events ]
Error - 3/9/2013 5:47:22 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 5:47:22 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 5:57:07 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 5:57:07 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 6:59:19 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 6:59:19 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 8:07:28 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 8:07:28 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 9:48:52 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.

Error - 3/9/2013 9:48:52 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
USB Device.


< End of report >

the last ones were because I had the usb plugged into the other server.
 
redtarget.gif
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | Disabled | Stopped] -- a -- (vsdatant)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe File not found
    O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: microsoft.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: tightvnc.com ([www] http in Trusted sites)
    O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
    O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

redtarget.gif
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
OTL Fix Log:
All processes killed
========== OTL ==========
Service WinHttpAutoProxySvc stopped successfully!
Service WinHttpAutoProxySvc deleted successfully!
File winhttp.dll not found.
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service vsdatant stopped successfully!
Service vsdatant deleted successfully!
File a not found.
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Error: No service named LicenseInfo was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseInfo deleted successfully.
Service IpInIp stopped successfully!
Service IpInIp deleted successfully!
File system32\DRIVERS\ipinip.sys not found.
Service i2omgmt stopped successfully!
Service i2omgmt deleted successfully!
Service Changer stopped successfully!
Service Changer deleted successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\VxTaskbarMgr deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tightvnc.com\www\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 758760 bytes
->Temporary Internet Files folder emptied: 3625156 bytes

User: administrator.HEDRICK
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administratorold
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: backup_service
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: bettyh
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: relationship_manager
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: symantec_service
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1084154 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 740512 bytes

Total Files Cleaned = 6.00 mb


[EMPTYJAVA]

User: administrator

User: administrator.HEDRICK

User: Administratorold

User: All Users

User: backup_service

User: bettyh

User: Default User

User: LocalService

User: NetworkService

User: relationship_manager

User: symantec_service

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: administrator

User: administrator.HEDRICK

User: Administratorold

User: All Users

User: backup_service

User: bettyh

User: Default User

User: LocalService

User: NetworkService

User: relationship_manager

User: symantec_service

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 03102013_212206

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
Checkup Log:

Results of screen317's Security Check version 0.99.60
Service Pack 2 x86
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Please wait while WMIC is being installed.
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

I worked on the defrag last night and got it down to about 11%, will try again tonight.

FSS Log:

Farbar Service Scanner Version: 03-03-2013
Ran by Administrator (administrator) on 10-03-2013 at 22:44:42
Running from "F:\DataServer"
Microsoft Windows Server 2003 Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.

tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========

ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\afd.sys
[2003-03-25 05:00] - [2011-12-27 07:13] - 0150528 ____N (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B


ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\tcpip.sys
[2003-03-25 05:00] - [2009-08-15 02:57] - 0393216 ____N (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3

C:\WINDOWS\system32\dnsrslvr.dll
[2009-04-20 11:38] - [2009-04-20 11:38] - 0045568 ____N (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B


ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\vssvc.exe
[2005-10-31 21:04] - [2007-02-16 23:09] - 0836096 ____N (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916


ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2007-02-17 07:03] - [2007-02-17 07:03] - 0143360 ____N (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5

C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2005-10-31 21:04] - [2007-02-17 07:03] - 0380928 ____N (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C

C:\WINDOWS\system32\es.dll
[2008-04-29 14:33] - [2008-04-29 14:33] - 0247296 ____N (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C

C:\WINDOWS\system32\cryptsvc.dll
[2007-02-17 07:02] - [2007-02-17 07:02] - 0056320 ____N (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4

C:\WINDOWS\system32\svchost.exe
[2007-02-17 07:04] - [2007-02-17 07:04] - 0014848 ____N (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

C:\WINDOWS\system32\rpcss.dll
[2009-04-25 11:57] - [2009-02-09 04:02] - 0486912 ____N (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE



**** End of log ****

Got to work for my company today, work on my wife's company this evening.

Thanks for your help on this one!
 
Here is the checkup log:
Results of screen317's Security Check version 0.99.61
Service Pack 2 x86
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
A couple of days ago, the fragmentation was over 20%. It seems to do a few every night.

Fss log:
Farbar Service Scanner Version: 03-03-2013
Ran by Administrator (administrator) on 17-03-2013 at 21:17:51
Running from "F:\"
Microsoft Windows Server 2003 Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.
tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

File Check:
========
ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.
C:\WINDOWS\system32\Drivers\afd.sys
[2003-03-25 05:00] - [2011-12-27 07:13] - 0150528 ____N (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B

ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.
C:\WINDOWS\system32\Drivers\tcpip.sys
[2003-03-25 05:00] - [2009-08-15 02:57] - 0393216 ____N (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3
C:\WINDOWS\system32\dnsrslvr.dll
[2009-04-20 11:38] - [2009-04-20 11:38] - 0045568 ____N (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B

ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.
C:\WINDOWS\system32\vssvc.exe
[2005-10-31 21:04] - [2007-02-16 23:09] - 0836096 ____N (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916

ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2007-02-17 07:03] - [2007-02-17 07:03] - 0143360 ____N (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5
C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2005-10-31 21:04] - [2007-02-17 07:03] - 0380928 ____N (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C
C:\WINDOWS\system32\es.dll
[2008-04-29 14:33] - [2008-04-29 14:33] - 0247296 ____N (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C
C:\WINDOWS\system32\cryptsvc.dll
[2007-02-17 07:02] - [2007-02-17 07:02] - 0056320 ____N (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4
C:\WINDOWS\system32\svchost.exe
[2007-02-17 07:04] - [2007-02-17 07:04] - 0014848 ____N (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682
C:\WINDOWS\system32\rpcss.dll
[2009-04-25 11:57] - [2009-02-09 04:02] - 0486912 ____N (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE

**** End of log ****

There was no log that opened after the reboot from TFC
 
Ran eset, no log, but the computer was rebooted with Microsoft automatic updates during the night, and I'm not sure if the autoupdates could have interrupted the updates.
 
You did fine.

redtarget.gif
Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

=============================

redtarget.gif
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.
 
Back