TechSpot

Spreading problems in network?

Solved
By glhglh
Mar 9, 2013
  1. On the data server:
    RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP 64 / Windows Home Server / Windows Server 2003 (5.2.3790 Service Pack 2) 32 bits version
    Started in : Normal mode
    User : Administrator [Admin rights]
    Mode : Remove -- Date : 03/09/2013 13:52:39
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    SSDT[13] : NtAlertResumeThread @ 0x8094F21A -> HOOKED (Unknown @ 0x8A868B08)
    SSDT[14] : NtAlertThread @ 0x8094F1CA -> HOOKED (Unknown @ 0x8A82F7B0)
    SSDT[18] : NtAllocateVirtualMemory @ 0x80843EA6 -> HOOKED (Unknown @ 0x8A869F38)
    SSDT[21] : NtAssignProcessToJobObject @ 0x80951714 -> HOOKED (Unknown @ 0x8A0DD580)
    SSDT[33] : NtConnectPort @ 0x809202D8 -> HOOKED (Unknown @ 0x8A8C8170)
    SSDT[45] : NtCreateMutant @ 0x80994804 -> HOOKED (Unknown @ 0x8A869060)
    SSDT[54] : NtCreateSymbolicLinkObject @ 0x8093D6BA -> HOOKED (Unknown @ 0x8A869620)
    SSDT[55] : NtCreateThread @ 0x8094AE46 -> HOOKED (Unknown @ 0x8A867A58)
    SSDT[59] : NtDebugActiveProcess @ 0x809A186A -> HOOKED (Unknown @ 0x8A0DD6D0)
    SSDT[71] : NtDuplicateObject @ 0x8093629A -> HOOKED (Unknown @ 0x8A830708)
    SSDT[87] : NtFreeVirtualMemory @ 0x80857640 -> HOOKED (Unknown @ 0x8A830A98)
    SSDT[93] : NtImpersonateAnonymousToken @ 0x80974910 -> HOOKED (Unknown @ 0x8A869150)
    SSDT[95] : NtImpersonateThread @ 0x809525E2 -> HOOKED (Unknown @ 0x8A868A28)
    SSDT[101] : NtLoadDriver @ 0x808FA04E -> HOOKED (Unknown @ 0x8B742E10)
    SSDT[113] : NtMapViewOfSection @ 0x8092D4AC -> HOOKED (Unknown @ 0x8A82F350)
    SSDT[120] : NtOpenEvent @ 0x8098BBE6 -> HOOKED (Unknown @ 0x8A0DE130)
    SSDT[128] : LdrShutdownThread @ 0x80944A68 -> HOOKED (Unknown @ 0x8A0DC008)
    SSDT[129] : NtOpenProcessToken @ 0x80968E04 -> HOOKED (Unknown @ 0x8A830648)
    SSDT[131] : NtOpenSection @ 0x809268C6 -> HOOKED (Unknown @ 0x8A17B2D0)
    SSDT[134] : NtOpenThread @ 0x80944CF6 -> HOOKED (Unknown @ 0x8A0DC090)
    SSDT[143] : NtProtectVirtualMemory @ 0x80931D92 -> HOOKED (Unknown @ 0x8A0DD490)
    SSDT[214] : NtResumeThread @ 0x8094F058 -> HOOKED (Unknown @ 0x8A82F890)
    SSDT[221] : NtSetContextThread @ 0x8094CA2A -> HOOKED (Unknown @ 0x8A8206F8)
    SSDT[237] : NtSetInformationProcess @ 0x8094792A -> HOOKED (Unknown @ 0x8A8207D8)
    SSDT[249] : NtSetSystemInformation @ 0x8098DB5E -> HOOKED (Unknown @ 0x8A0DD7B0)
    SSDT[262] : NtSuspendProcess @ 0x8094F11E -> HOOKED (Unknown @ 0x8A0DE050)
    SSDT[263] : NtSuspendThread @ 0x8094EF94 -> HOOKED (Unknown @ 0x8A726B68)
    SSDT[266] : NtTerminateProcess @ 0x8094C0AC -> HOOKED (Unknown @ 0x8A867B58)
    SSDT[267] : NtTerminateThread @ 0x8094C2B8 -> HOOKED (Unknown @ 0x8A726C48)
    SSDT[277] : NtUnmapViewOfSection @ 0x809234AE -> HOOKED (Unknown @ 0x8A82F270)
    SSDT[287] : NtWriteVirtualMemory @ 0x8092F23E -> HOOKED (Unknown @ 0x8A830B68)
    S_SSDT[306] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x89F55E70)
    S_SSDT[382] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8AEE21B0)
    S_SSDT[413] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8AF9AAD8)
    S_SSDT[415] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8AB6A8D0)
    S_SSDT[427] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8AEDD610)
    S_SSDT[459] : NtUserMessageCall -> HOOKED (Unknown @ 0x8B16FD50)
    S_SSDT[474] : NtUserPostMessage -> HOOKED (Unknown @ 0x8ABB0898)
    S_SSDT[475] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8ABB0E78)
    S_SSDT[545] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8B113750)
    S_SSDT[548] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A862350)

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: MEGARAID LD 0 MEGARAID SCSI Disk Device +++++
    --- User ---
    [MBR] 225e14d735491d518af914c6eb394eec
    [BSP] c0f4a3eb45f0f9f92f7c32c02a508030 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 34993 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive1: MEGARAID LD 1 MEGARAID SCSI Disk Device +++++
    --- User ---
    [MBR] 0c3bd885ee03e41a0a7017290d717a78
    [BSP] b7baaa273867eb9f01d412bd2a06005e : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 280015 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[3]_D_03092013_02d1352.txt >>
    RKreport[1]_S_03092013_02d1348.txt ; RKreport[2]_D_03092013_02d1351.txt ; RKreport[3]_D_03092013_02d1352.txt
  2. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    The Mbar log:
    Malwarebytes Anti-Rootkit BETA 1.01.0.1021
    www.malwarebytes.org

    Database version: v2013.03.09.12

    Windows Server 2003 Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: HEDCODSERVER [administrator]

    3/9/2013 2:19:16 PM
    mbar-log-2013-03-09 (14-19-16).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 27777
    Time elapsed: 14 minute(s), 35 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    and the Mbar system log:

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1021

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.2.3790 Windows Server 2003 Service Pack 2 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 3.000000 GHz
    Memory total: 4293648384, free: 2918125568

    ------------ Kernel report ------------
    03/09/2013 14:04:11
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    intelide.sys
    MountMgr.sys
    ftdisk.sys
    dmload.sys
    dmio.sys
    volsnap.sys
    PartMgr.sys
    atapi.sys
    iaStor.sys
    mraid35x.sys
    \WINDOWS\system32\drivers\SCSIPORT.SYS
    adpu320.sys
    AACmgt.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltmgr.sys
    SYMDS.SYS
    SYMEFA.SYS
    Dfs.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    crcdisk.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\EG1032xp.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\ati2mpad.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\watchdog.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\point32.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\fdc.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\teefer.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\flpydisk.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS
    \SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS
    \SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS
    \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMTDI.SYS
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\pdfsd.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_diskdump.sys
    \SystemRoot\System32\Drivers\dump_mraid35x.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\ati2drad.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\VirtFile.sys
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \SystemRoot\System32\Drivers\TDTCP.SYS
    \SystemRoot\System32\Drivers\RDPWD.SYS
    \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys
    \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSxpx86.sys
    \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVEX15.SYS
    \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVENG.SYS
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk2\DR12
    Upper Device Object: 0xffffffff88efa1e0
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000080\
    Lower Device Object: 0xffffffff8908b220
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    Initialization returned 0x0
    Load Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xffffffff8b71aab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Scsi\mraid35x1Port2Path3Target1Lun0\
    Lower Device Object: 0xffffffff8b71d030
    Lower Device Driver Name: \Driver\mraid35x\
    Driver name found: mraid35x
    Initialization returned 0x0
    Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
    Load Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8b71c900
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Scsi\mraid35x1Port2Path3Target0Lun0\
    Lower Device Object: 0xffffffff8b69f030
    Lower Device Driver Name: \Driver\mraid35x\
    Driver name found: mraid35x
    Downloaded database version: v2013.03.09.12
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8b71c900, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8b721df8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8b71c900, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8b69f030, DeviceName: \Device\Scsi\mraid35x1Port2Path3Target0Lun0\, DriverName: \Driver\mraid35x\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffee1d5480, 0xffffffff8b71c900, 0xffffffff86964268
    Lower DeviceData: 0xffffffffe14d8428, 0xffffffff8b69f030, 0xffffffff8a51fd40
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 8200820

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 71665902
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 36702257152 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-71664096-71684096)...
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff8b71aab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8b71a880, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8b71aab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8b71d030, DeviceName: \Device\Scsi\mraid35x1Port2Path3Target1Lun0\, DriverName: \Driver\mraid35x\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe5286768, 0xffffffff8b71aab8, 0xffffffff888c8350
    Lower DeviceData: 0xffffffffecf1d348, 0xffffffff8b71d030, 0xffffffff86ffac98
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: A250A25

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 573472242

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 293628542976 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    <<<2>>>
    Device number: 1, partition: 1
    <<<3>>>
    Volume: D:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Scan finished
    =======================================
  3. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Looks clean so far...

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  4. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    The GA server is still running:

    OTL Scan of DataServer:
    OTL logfile created on: 3/9/2013 5:49:38 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work
    Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 2.86 Gb Available Physical Memory | 71.63% Memory free
    5.83 Gb Paging File | 4.80 Gb Available in Paging File | 82.27% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 34.17 Gb Total Space | 6.52 Gb Free Space | 19.09% Space Free | Partition Type: NTFS
    Drive D: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS
    Drive F: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.73% Space Free | Partition Type: FAT32
    Drive O: | 465.64 Gb Total Space | 97.01 Gb Free Space | 20.83% Space Free | Partition Type: NTFS
    Drive R: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS

    Computer Name: HEDCODSERVER | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/03/09 17:28:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work\OTL.exe
    PRC - [2012/01/30 04:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
    PRC - [2011/12/11 12:05:32 | 009,430,200 | ---- | M] (Schwab Performance Technologies) -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\SPTServer.exe
    PRC - [2011/08/26 19:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
    PRC - [2011/08/26 19:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
    PRC - [2011/08/10 05:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
    PRC - [2011/04/02 10:50:00 | 001,270,640 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
    PRC - [2011/03/28 16:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe
    PRC - [2010/12/10 18:29:30 | 029,293,408 | ---- | M] (Microsoft Corporation) -- d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    PRC - [2008/07/21 17:00:12 | 000,143,144 | ---- | M] (Vale Software) -- c:\junxure\Backup\Agent\vswSQLEJS.exe
    PRC - [2007/02/17 06:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
    PRC - [2007/02/17 06:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
    PRC - [2007/02/17 06:03:39 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/02/17 06:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
    PRC - [2004/10/19 09:01:42 | 000,118,784 | ---- | M] () -- C:\Program Files\MegaRAID\rserver\Raidserv.exe
    PRC - [2004/09/01 10:00:24 | 000,163,328 | ---- | M] () -- C:\WINDOWS\system32\Megaserv.exe
    PRC - [2003/06/23 15:03:26 | 000,162,044 | ---- | M] () -- C:\Program Files\MegaRAID\regserv\Reg_serv.exe
    PRC - [2003/06/12 14:12:16 | 000,040,960 | R--- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\FlushServ.exe
    PRC - [2000/06/01 08:41:08 | 000,090,112 | ---- | M] () -- C:\ivupdate\IVM.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/02/14 03:13:05 | 000,141,312 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\5571f6ece2abdda5305bdd3a91bb105c\System.Configuration.Install.ni.dll
    MOD - [2013/02/14 03:10:33 | 012,433,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ba12e418b906593b7c9c18f971f36bf9\System.Windows.Forms.ni.dll
    MOD - [2013/02/14 03:04:50 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    MOD - [2013/01/10 03:30:43 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll
    MOD - [2013/01/10 03:29:12 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
    MOD - [2013/01/10 03:28:41 | 001,593,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\7782f356a838c403b4a8e9c80df5a577\System.Drawing.ni.dll
    MOD - [2013/01/10 03:28:17 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\8462c03b4f10c4624feb95790d6d1e30\System.Data.ni.dll
    MOD - [2013/01/10 03:28:09 | 002,295,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\edbf4e4a55e63b9fbf0b0b40cba13063\System.Core.ni.dll
    MOD - [2013/01/10 03:28:05 | 002,146,304 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ReachFramework\64ad3d6ccdc3afa7919528cc5a0143a6\ReachFramework.ni.dll
    MOD - [2013/01/10 03:27:54 | 014,329,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2abe0b9f0e996273614f4cf1f6808eed\PresentationFramework.ni.dll
    MOD - [2013/01/10 03:27:21 | 012,218,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\2e26794770e6d33cf79a7f8daa4a48c3\PresentationCore.ni.dll
    MOD - [2013/01/10 03:27:01 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\4b889e41364baff1e456817b4777b610\WindowsBase.ni.dll
    MOD - [2013/01/10 03:26:51 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
    MOD - [2013/01/10 03:26:36 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
    MOD - [2011/10/14 06:11:14 | 000,249,856 | ---- | M] () -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\hysdba32.dll
    MOD - [2011/10/14 06:11:14 | 000,196,608 | ---- | M] () -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\c4dll32.dll
    MOD - [2011/05/18 09:15:12 | 000,075,416 | ---- | M] () -- C:\WINDOWS\system32\PDVFSNP.dll
    MOD - [2007/08/27 11:35:34 | 000,090,112 | ---- | M] () -- C:\ivupdate\EUConfig.dll
    MOD - [2004/10/19 09:01:42 | 000,118,784 | ---- | M] () -- C:\Program Files\MegaRAID\rserver\Raidserv.exe
    MOD - [2004/09/01 10:00:24 | 000,163,328 | ---- | M] () -- C:\WINDOWS\system32\Megaserv.exe
    MOD - [2003/06/23 15:03:26 | 000,162,044 | ---- | M] () -- C:\Program Files\MegaRAID\regserv\Reg_serv.exe
    MOD - [2000/06/01 08:41:08 | 000,090,112 | ---- | M] () -- C:\ivupdate\IVM.exe


    ========== Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
    SRV - [2012/01/30 04:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
    SRV - [2011/12/11 12:05:32 | 009,430,200 | ---- | M] (Schwab Performance Technologies) [Auto | Running] -- C:\Program Files\Schwab Performance Technologies\PortfolioCenter\SPTServer.exe -- (SPTServer)
    SRV - [2011/08/26 19:26:54 | 000,280,496 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
    SRV - [2011/08/26 19:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
    SRV - [2011/08/26 19:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
    SRV - [2011/08/10 05:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS)
    SRV - [2011/05/18 09:15:24 | 000,194,200 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Symantec\Backup Exec\RAWS\PDVFSService.exe -- (PDVFSService)
    SRV - [2011/04/02 10:50:00 | 001,270,640 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe -- (BackupExecAgentAccelerator)
    SRV - [2011/03/28 16:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe -- (bedbg)
    SRV - [2010/12/10 18:29:30 | 029,293,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS)
    SRV - [2009/07/13 11:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
    SRV - [2008/07/21 17:00:12 | 000,143,144 | ---- | M] (Vale Software) [Auto | Running] -- c:\junxure\Backup\Agent\vswSQLEJS.exe -- (vswSQLEJobServer)
    SRV - [2007/02/17 06:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
    SRV - [2007/02/17 06:03:58 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
    SRV - [2007/02/17 06:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
    SRV - [2007/02/17 06:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
    SRV - [2007/02/17 06:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
    SRV - [2007/02/17 06:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
    SRV - [2004/11/11 10:46:46 | 000,053,248 | ---- | M] (Adaptec Incorporated) [Auto | Stopped] -- C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe -- (AdaptecStorageManagerAgent)
    SRV - [2004/10/19 09:01:42 | 000,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\MegaRAID\rserver\Raidserv.exe -- (RAID_SERVER)
    SRV - [2004/09/01 10:00:24 | 000,163,328 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\Megaserv.exe -- (MegaServ)
    SRV - [2003/06/23 15:03:26 | 000,162,044 | ---- | M] () [Auto | Running] -- C:\Program Files\MegaRAID\regserv\Reg_serv.exe -- (REG_SERVER)
    SRV - [2003/06/12 14:12:16 | 000,040,960 | R--- | M] (American Megatrends Inc.) [Auto | Running] -- C:\WINDOWS\system32\FlushServ.exe -- (FlushService)
    SRV - [2003/03/25 04:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
    SRV - [2003/03/25 04:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | Disabled | Stopped] -- a -- (vsdatant)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - [2013/03/09 14:04:10 | 000,035,144 | ---- | M] () [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
    DRV - [2013/02/19 10:41:05 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVEX15.SYS -- (NAVEX15)
    DRV - [2013/02/19 10:41:05 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVENG.SYS -- (NAVENG)
    DRV - [2013/01/29 13:02:40 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys -- (BHDrvx86)
    DRV - [2012/12/13 03:51:26 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSXpx86.sys -- (IDSxpx86)
    DRV - [2012/08/08 22:41:22 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2012/08/08 22:41:22 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2011/08/26 19:50:19 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2011/08/26 19:29:38 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
    DRV - [2011/08/26 19:29:34 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
    DRV - [2011/08/26 19:29:32 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
    DRV - [2011/08/26 19:29:28 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
    DRV - [2011/08/26 19:29:28 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
    DRV - [2011/08/26 19:29:26 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
    DRV - [2011/08/26 19:27:34 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
    DRV - [2011/05/18 09:15:12 | 000,075,416 | ---- | M] () [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\PDVFSNP.dll -- (PDVFSNP)
    DRV - [2011/03/01 14:00:06 | 000,071,480 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
    DRV - [2011/02/15 11:09:08 | 000,064,056 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\pdfsd.sys -- (PDVFSDriver)
    DRV - [2010/04/03 11:02:54 | 000,240,608 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RsFx0150.sys -- (RsFx0150)
    DRV - [2008/06/24 07:52:20 | 000,032,384 | R--- | M] (ASIX Electronics Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ax88772.sys -- (AX88772)
    DRV - [2007/02/16 22:29:40 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
    DRV - [2007/02/16 22:06:42 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
    DRV - [2007/02/16 22:02:56 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
    DRV - [2007/02/16 21:51:18 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
    DRV - [2005/01/31 18:20:50 | 000,071,040 | R--- | M] (Linksys, A Division of Cisco Systems, Inc ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EG1032xp.sys -- (RTL8023xp)
    DRV - [2004/11/08 11:38:44 | 000,093,847 | R--- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aacmgt.sys -- (AACmgt)
    DRV - [2003/03/24 13:54:06 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/softAdmin.htm
    IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
    IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
    IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
    IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2013/02/19 19:11:29 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2003/03/25 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe File not found
    O4 - HKLM..\RunOnce: [Z1] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
    O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\administrator\Start Menu\Programs\Startup\IVM.lnk = C:\ivupdate\IVM.exe ()
    O4 - Startup: C:\Documents and Settings\administrator.HEDRICK\Start Menu\Programs\Startup\IVM.lnk = C:\ivupdate\IVM.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
    O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
    O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: microsoft.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: tightvnc.com ([www] http in Trusted sites)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130793298742 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130864858964 (MUWebControl Class)
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://securemeeting.schwab.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupControlXP Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A6917D6-9F29-4112-82B9-EFBCB75C1A95}: NameServer = 192.168.1.5,192.168.1.6
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3038AF57-FF8E-4D1E-9C07-3C361292061E}: NameServer = 192.168.1.5
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D30A9A8-A4BF-4B83-8AC8-759AEF697CBC}: NameServer = 192.168.1.5
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
    O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
    O24 - Desktop WallPaper: C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/10/31 12:45:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/03/09 14:04:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2013/03/09 14:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work
    [2013/03/09 13:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Desktop\RK_Quarantine
    [2007/12/23 08:58:18 | 000,140,824 | ---- | C] (MAPILab Ltd. & Add-in Express Ltd.) -- C:\Program Files\Common Files\secman.dll

    ========== Files - Modified Within 30 Days ==========

    [2013/03/09 14:04:10 | 000,035,144 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
    [2013/03/09 06:04:04 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\SDD_Backup Download - catch any late files.job
    [2013/03/09 05:30:04 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\SDD_Daily Download.job
    [2013/03/08 19:37:10 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Fri.job
    [2013/03/08 19:25:20 | 000,000,216 | ---- | M] () -- C:\WINDOWS\tasks\restart_SPT.job
    [2013/03/08 12:00:05 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a3266a68-4a07-11da-ac22-806e6f6e6963}.job
    [2013/03/08 12:00:01 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a3266a67-4a07-11da-ac22-806e6f6e6963}.job
    [2013/03/07 19:36:58 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\PC-Thur.job
    [2013/03/06 19:36:52 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Wed.job
    [2013/03/05 19:36:58 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Tue.job
    [2013/03/04 19:36:55 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Mon.job
    [2013/03/03 19:37:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Sun.job
    [2013/03/02 19:37:21 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\PC-Sat.job
    [2013/02/19 19:15:55 | 000,827,746 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2013/02/19 19:15:55 | 000,203,310 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2013/02/19 19:13:46 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2013/02/19 19:10:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2013/02/14 03:37:42 | 000,106,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2013/02/14 03:12:40 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2013/02/11 13:43:35 | 000,012,946 | ---- | M] () -- C:\WINDOWS\HYS.INI

    ========== Files Created - No Company Name ==========

    [2013/03/09 14:04:10 | 000,035,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
    [2013/01/10 03:41:51 | 000,068,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/10/17 07:17:22 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\_regtlb.dll
    [2011/08/31 09:57:04 | 000,000,106 | ---- | C] () -- C:\Documents and Settings\administrator\Restart_SPT.bat
    [2011/05/18 09:15:12 | 000,075,416 | ---- | C] () -- C:\WINDOWS\System32\PDVFSNP.dll
    [2010/04/23 08:41:12 | 000,004,343 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
    [2009/01/08 10:38:42 | 000,741,376 | ---- | C] () -- C:\Documents and Settings\administrator\Local Settings\Application Data\filesync.metadata
    [2005/10/31 13:31:56 | 000,004,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

    ========== ZeroAccess Check ==========

    [2005/10/31 12:43:14 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shdocvw.dll -- [2007/12/21 14:28:05 | 001,508,352 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 03:02:57 | 000,483,840 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2007/02/17 06:03:19 | 000,278,016 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2011/06/24 13:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\CRM Software
    [2009/08/05 12:28:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Juniper Networks
    [2009/08/05 12:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
    [2008/03/12 14:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Schwab Performance Technologies

    ========== Purity Check ==========



    < End of report >
  5. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    The Extras:
    OTL Extras logfile created on: 3/9/2013 5:49:38 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\administrator\Desktop\3-10-2013 Virus work
    Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 2.86 Gb Available Physical Memory | 71.63% Memory free
    5.83 Gb Paging File | 4.80 Gb Available in Paging File | 82.27% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 34.17 Gb Total Space | 6.52 Gb Free Space | 19.09% Space Free | Partition Type: NTFS
    Drive D: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS
    Drive F: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.73% Space Free | Partition Type: FAT32
    Drive O: | 465.64 Gb Total Space | 97.01 Gb Free Space | 20.83% Space Free | Partition Type: NTFS
    Drive R: | 273.45 Gb Total Space | 150.61 Gb Free Space | 55.08% Space Free | Partition Type: NTFS

    Computer Name: HEDCODSERVER | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe" = C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe:*:Enabled:Backup Exec Remote Agent for Windows Systems -- (Symantec Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe" = C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe:*:Enabled:Backup Exec Remote Agent for Windows Systems -- (Symantec Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{020617D7-2F72-4D02-BF59-A5CBC1761177}" = SQL Server 2008 R2 Management Studio
    "{03CAB33F-D1C2-48C6-8766-DAE84DFC25FE}" = Microsoft Sync Framework Services v1.0 (x86)
    "{046755CA-F677-4B7F-AF9A-6AB295A02A30}" = Microsoft SQL Server 2008 R2 Native Client
    "{07C8EE28-7542-4D67-AC01-48CA807AB03E}" = Symantec Backup Exec (Hotfix 339930)
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{121475F5-2598-4574-8801-8F6B3D6A99BB}" = SQL Server 2008 R2 Management Studio
    "{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
    "{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
    "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    "{2CCF7567-540B-4FA5-A778-968F7433D11E}_is1" = Junxure SQL Express Agent
    "{3A9FC03D-C685-4831-94CF-4EDFD3749497}" = Microsoft SQL Server Compact 3.5 SP2 ENU
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{4112625F-2D38-49EF-924F-48511BC5CD34}" = SQL Server 2008 R2 Database Engine Services
    "{47BE41E6-2F0F-4D17-9C2D-3850FFD9D405}" = Microsoft SQL Server VSS Writer
    "{4C9D82EB-9001-4E59-8F64-0BEEE5F4A30A}" = SQL Server 2008 R2 Database Engine Shared
    "{4ECF4BDC-8387-329A-ABE9-CF5798F84BB2}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU
    "{51E00B59-E24E-4D6A-81AD-94694BADD5CF}" = SQLXML 3.0
    "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
    "{56F39DA5-6287-4FD4-BCA4-870F8ABBFBCE}" = Symantec Backup Exec Remote Agent for Windows Systems
    "{57B00665-DC8A-44AF-8610-3EE12C89F6EF}" = PortfolioCenter
    "{5AD32821-D80C-4F7B-A3EB-A61ABF7C9394}" = PortfolioCenter Management Console
    "{63934E99-A4F7-478C-8BB0-259BB9D78FFF}" = Microsoft Report Viewer Redistributable 2005
    "{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
    "{76866BE3-B2C7-40BB-B267-927792AED0C3}" = Microsoft SQL Server 2008 R2 Setup (English)
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{77427A09-C875-4B1E-9054-29FACABD4FEF}" = PortfolioCenter Database Components
    "{7AA60015-4BAD-4146-9DB2-8AA66762EC54}" = Microsoft SQLXML 4.0 SP1
    "{7C8EAD2B-A954-4F73-AAFC-C3EC60D49ADA}" = Microsoft SQL Server 2008 R2 RsFx Driver
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{879FFED4-A41B-4486-8F9E-87CAE3B37516}" = Junxure Desktop
    "{8BD7AB08-09D5-4519-A6F2-A72381B2EC4B}" = Symantec Backup Exec (Hotfix 345316)
    "{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003
    "{913E1F2D-5A32-4D18-B983-640374D81448}" = JxPublicObject
    "{93998800-1608-403F-9A51-420A77D23C25}" = Sql Server Customer Experience Improvement Program
    "{94251E15-F03A-42CF-B762-6A75B1A0790B}" = Adaptec Storage Manager
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}" = Symantec Endpoint Protection
    "{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}" = Microsoft SQL Server System CLR Types
    "{A8BD5A60-E843-46DC-8271-ABF20756BE0F}" = Microsoft Sync Framework Runtime v1.0 (x86)
    "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
    "{AFDFC350-C142-4790-BE12-8357AECD028F}" = SyncToy 2.0 (x86)
    "{B5688129-7595-4E5B-9990-CEF981A31264}" = SyncToy
    "{B692E59A-055C-43B7-BE0A-9C2FE0AB88B6}" = Microsoft SQL Server 2008 R2 Management Objects
    "{B8E9F8A1-9F4D-43D5-ABD6-1DF067FAA469}" = SQL Server 2008 R2 Database Engine Services
    "{BF9BF038-FE03-429D-9B26-2FA0FD756052}" = Microsoft SQL Server Browser
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C186FF44-DF7E-11D3-9B04-0080C8D99A32}" = Power Console Plus Package
    "{C8885E66-9862-4CEE-ADC4-F4769598C795}" = VERITAS Update
    "{CACEA8C8-3D38-4F51-953D-1E6FC3346FEF}" = SQL Server 2008 R2 Common Files
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D21BC5B2-CBAC-48FA-A701-B5A63C1CA7B8}" = Microsoft SQL Server 2008 R2 Policies
    "{D428AB95-35B2-4868-B656-5C316E25EC69}" = SQL Server 2008 R2 Database Engine Services
    "{D441BD04-E548-4F8E-97A4-1B66135BAAA8}" = Microsoft SQL Server 2008 Setup Support Files
    "{D6D7030D-E04C-4CCA-98DD-B9B51EDE5845}" = Junxure7
    "{DDFD8348-058C-4F4B-85E5-6D740D4AB3FE}" = Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
    "{DF781E6F-BF29-4340-BEFB-09F7511B424D}" = SQL Server 2008 R2 Database Engine Services
    "{EBC91840-41E1-4CC3-AC11-0B889546223C}" = Microsoft IntelliPoint 5.5
    "{F021CC0C-21C3-4038-AA4A-6E3CBC669CE8}" = SQL Server 2008 R2 Database Engine Shared
    "{FC835376-FF3B-4CAA-83E0-2148B3FB7C98}" = SQL Server 2008 R2 Common Files
    "CCleaner" = CCleaner
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{57B00665-DC8A-44AF-8610-3EE12C89F6EF}" = PortfolioCenter
    "InstallShield_{5AD32821-D80C-4F7B-A3EB-A61ABF7C9394}" = PortfolioCenter Management Console
    "InstallShield_{77427A09-C875-4B1E-9054-29FACABD4FEF}" = PortfolioCenter Database Components
    "InstallShield_{94251E15-F03A-42CF-B762-6A75B1A0790B}" = Adaptec Storage Manager
    "LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Microsoft Report Viewer Redistributable 2005" = Microsoft Report Viewer Redistributable 2005
    "Microsoft Report Viewer Redistributable 2008 (KB971119)" = Microsoft Report Viewer Redistributable 2008 SP1
    "Microsoft SQL Server 10" = Microsoft SQL Server 2008 R2
    "Microsoft SQL Server 2005" = Microsoft SQL Server 2005
    "Microsoft SQL Server 2008 R2" = Microsoft SQL Server 2008 R2
    "Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "PROSet" = Intel(R) PRO Network Adapters and Drivers
    "Remote Agent for Windows Servers" = Symantec Backup Exec Remote Agent for Windows Systems
    "TightVNC_is1" = TightVNC 1.3.10
    "WIC" = Windows Imaging Component
    "Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "ebb9ba9810bf3c43" = Schwab Data Delivery
    "Juniper Secure Meeting 6.2.0" = Juniper Networks Secure Meeting 6.2.0

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 2/19/2013 9:25:37 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
    ActionTaken:
    Logged Actor Process: C:\WINDOWS\SYSTEM32\DRWTSN32.EXE (PID 4160) Time: Tuesday,
    February 19, 2013 5:25:37 PM

    Error - 2/19/2013 11:04:24 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
    ActionTaken:
    Logged Actor Process: C:\DOWNLOADS\TFC.EXE (PID 768) Time: Tuesday, February 19,
    2013 7:04:24 PM

    Error - 2/19/2013 11:04:24 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Event Info: Open Process ActionTaken:
    Logged Actor Process: C:\DOWNLOADS\TFC.EXE (PID 768) Time: Tuesday, February 19,
    2013 7:04:24 PM

    Error - 2/19/2013 11:04:24 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
    ActionTaken:
    Logged Actor Process: C:\DOWNLOADS\TFC.EXE (PID 768) Time: Tuesday, February 19,
    2013 7:04:24 PM

    Error - 3/9/2013 5:46:41 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
    ActionTaken:
    Logged Actor Process: F:\SERVER\ROGUEKILLER.EXE (PID 7484) Time: Saturday, March
    09, 2013 1:46:41 PM

    Error - 3/9/2013 5:46:41 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Event Info: Open Process ActionTaken:
    Logged Actor Process: F:\SERVER\ROGUEKILLER.EXE (PID 7484) Time: Saturday, March
    09, 2013 1:46:41 PM

    Error - 3/9/2013 5:46:41 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
    ActionTaken:
    Logged Actor Process: F:\SERVER\ROGUEKILLER.EXE (PID 7484) Time: Saturday, March
    09, 2013 1:46:41 PM

    Error - 3/9/2013 6:05:25 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
    ActionTaken:
    Logged Actor Process: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\3-10-2013
    VIRUS WORK\MBAR-1.01.0.1021\MBAR\MBAR.EXE (PID 7308) Time: Saturday, March 09,
    2013 2:05:25 PM

    Error - 3/9/2013 6:05:25 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Event Info: Open Process ActionTaken:
    Logged Actor Process: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\3-10-2013
    VIRUS WORK\MBAR-1.01.0.1021\MBAR\MBAR.EXE (PID 7308) Time: Saturday, March 09,
    2013 2:05:25 PM

    Error - 3/9/2013 6:05:25 PM | Computer Name = HEDCODSERVER | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process
    ActionTaken:
    Logged Actor Process: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\3-10-2013
    VIRUS WORK\MBAR-1.01.0.1021\MBAR\MBAR.EXE (PID 7308) Time: Saturday, March 09,
    2013 2:05:25 PM

    [ Directory Service Events ]
    Error - 11/16/2011 5:04:28 PM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
    Description =

    Error - 11/16/2011 6:24:25 PM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
    Description =

    Error - 1/9/2012 5:34:43 AM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
    Description =

    Error - 8/6/2012 10:46:12 PM | Computer Name = HEDCODSERVER | Source = NTDS Replication | ID = 2426919
    Description =

    [ DNS Server Events ]
    Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4015
    Description = The DNS server has encountered a critical error from the Active Directory.
    Check
    that the Active Directory is functioning properly. The extended error debug information
    (which may be empty) is "". The event data contains the error.

    Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone .. This DNS server is configured to use information obtained from Active
    Directory
    for this zone and is unable to load the zone without it. Check that the Active
    Directory is functioning properly and repeat enumeration of the zone. The extended
    error debug information (which may be empty) is "". The event data contains the
    error.

    Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone _msdcs.hedrick.local. This DNS server is configured to use information
    obtained from Active Directory for this zone and is unable to load the zone without
    it. Check that the Active Directory is functioning properly and repeat enumeration
    of
    the zone. The extended error debug information (which may be empty) is "". The event
    data contains the error.

    Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
    obtained from Active Directory for this zone and is unable to load the zone without
    it. Check that the Active Directory is functioning properly and repeat enumeration
    of
    the zone. The extended error debug information (which may be empty) is "". The event
    data contains the error.

    Error - 5/11/2012 6:35:31 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone hedrick.local. This DNS server is configured to use information obtained
    from Active Directory for this zone and is unable to load the zone without it.
    Check that the Active Directory is functioning properly and repeat enumeration of
    the zone. The extended error debug information (which may be empty) is "". The event
    data contains the error.

    Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4015
    Description = The DNS server has encountered a critical error from the Active Directory.
    Check
    that the Active Directory is functioning properly. The extended error debug information
    (which may be empty) is "". The event data contains the error.

    Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone .. This DNS server is configured to use information obtained from Active
    Directory
    for this zone and is unable to load the zone without it. Check that the Active
    Directory is functioning properly and repeat enumeration of the zone. The extended
    error debug information (which may be empty) is "". The event data contains the
    error.

    Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone _msdcs.hedrick.local. This DNS server is configured to use information
    obtained from Active Directory for this zone and is unable to load the zone without
    it. Check that the Active Directory is functioning properly and repeat enumeration
    of
    the zone. The extended error debug information (which may be empty) is "". The event
    data contains the error.

    Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
    obtained from Active Directory for this zone and is unable to load the zone without
    it. Check that the Active Directory is functioning properly and repeat enumeration
    of
    the zone. The extended error debug information (which may be empty) is "". The event
    data contains the error.

    Error - 1/10/2013 7:41:40 AM | Computer Name = HEDCODSERVER | Source = DNS | ID = 4004
    Description = The DNS server was unable to complete directory service enumeration
    of zone hedrick.local. This DNS server is configured to use information obtained
    from Active Directory for this zone and is unable to load the zone without it.
    Check that the Active Directory is functioning properly and repeat enumeration of
    the zone. The extended error debug information (which may be empty) is "". The event
    data contains the error.

    [ File Replication Service Events ]
    Error - 2/9/2011 11:34:20 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path c: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a c:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    Error - 2/9/2011 11:34:20 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path C: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a C:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    Error - 2/10/2011 7:25:56 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path c: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a c:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    Error - 2/10/2011 7:25:56 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path C: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a C:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    Error - 3/1/2011 12:43:31 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path c: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a c:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    Error - 3/1/2011 12:43:31 AM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path C: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a C:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    Error - 12/29/2011 2:46:31 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path c: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a c:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    Error - 12/29/2011 2:46:31 PM | Computer Name = HEDCODSERVER | Source = NtFrs | ID = 13570
    Description = The File Replication Service has detected that the volume hosting
    the path C: is low on disk space. Files may not replicate until disk space is made
    available on this volume. The available space on the volume can be found by typing
    "dir
    /a C:". For more information about managing space on a volume type "copy /?", "rename
    /?", "del /?", "rmdir /?", and "dir /?".

    [ System Events ]
    Error - 3/9/2013 5:47:22 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 5:47:22 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 5:57:07 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 5:57:07 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 6:59:19 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 6:59:19 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 8:07:28 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 8:07:28 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 9:48:52 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.

    Error - 3/9/2013 9:48:52 PM | Computer Name = HEDCODSERVER | Source = Removable Storage Service | ID = 262255
    Description = RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD
    USB Device.


    < End of report >

    the last ones were because I had the usb plugged into the other server.
  6. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    [​IMG] Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
      DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
      DRV - File not found [Kernel | Disabled | Stopped] -- a -- (vsdatant)
      DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
      DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
      DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
      DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
      DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
      DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
      DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
      DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe File not found
      O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: microsoft.com ([www] http in Trusted sites)
      O15 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..Trusted Domains: tightvnc.com ([www] http in Trusted sites)
      O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
      O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    Last scans...

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    [​IMG] Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  7. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    I didn't see this for the Dserver yesterday, I'll run them now.
  8. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    OTL Fix Log:
    All processes killed
    ========== OTL ==========
    Service WinHttpAutoProxySvc stopped successfully!
    Service WinHttpAutoProxySvc deleted successfully!
    File winhttp.dll not found.
    Service WDICA stopped successfully!
    Service WDICA deleted successfully!
    Service vsdatant stopped successfully!
    Service vsdatant deleted successfully!
    File a not found.
    Service PDRFRAME stopped successfully!
    Service PDRFRAME deleted successfully!
    Service PDRELI stopped successfully!
    Service PDRELI deleted successfully!
    Service PDFRAME stopped successfully!
    Service PDFRAME deleted successfully!
    Service PDCOMP stopped successfully!
    Service PDCOMP deleted successfully!
    Error: No service named LicenseInfo was found to stop!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseInfo deleted successfully.
    Service IpInIp stopped successfully!
    Service IpInIp deleted successfully!
    File system32\DRIVERS\ipinip.sys not found.
    Service i2omgmt stopped successfully!
    Service i2omgmt deleted successfully!
    Service Changer stopped successfully!
    Service Changer deleted successfully!
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\VxTaskbarMgr deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\www\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tightvnc.com\www\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP\ deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: administrator
    ->Temp folder emptied: 758760 bytes
    ->Temporary Internet Files folder emptied: 3625156 bytes

    User: administrator.HEDRICK
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administratorold
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: backup_service
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: bettyh
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: relationship_manager
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: symantec_service
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1084154 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 740512 bytes

    Total Files Cleaned = 6.00 mb


    [EMPTYJAVA]

    User: administrator

    User: administrator.HEDRICK

    User: Administratorold

    User: All Users

    User: backup_service

    User: bettyh

    User: Default User

    User: LocalService

    User: NetworkService

    User: relationship_manager

    User: symantec_service

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: administrator

    User: administrator.HEDRICK

    User: Administratorold

    User: All Users

    User: backup_service

    User: bettyh

    User: Default User

    User: LocalService

    User: NetworkService

    User: relationship_manager

    User: symantec_service

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 03102013_212206

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  9. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    Checkup Log:

    Results of screen317's Security Check version 0.99.60
    Service Pack 2 x86
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    Please wait while WMIC is being installed.
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    CCleaner
    Adobe Reader 8 Adobe Reader out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Norton ccSvcHst.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````

    I worked on the defrag last night and got it down to about 11%, will try again tonight.

    FSS Log:

    Farbar Service Scanner Version: 03-03-2013
    Ran by Administrator (administrator) on 10-03-2013 at 22:44:42
    Running from "F:\DataServer"
    Microsoft Windows Server 2003 Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Nsi Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

    nsiproxy Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
    Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.

    tdx Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
    Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
    Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.

    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Other Services:
    ==============
    Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
    Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
    Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


    File Check:
    ========

    ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


    ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

    C:\WINDOWS\system32\Drivers\afd.sys
    [2003-03-25 05:00] - [2011-12-27 07:13] - 0150528 ____N (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B


    ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2003-03-25 05:00] - [2009-08-15 02:57] - 0393216 ____N (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3

    C:\WINDOWS\system32\dnsrslvr.dll
    [2009-04-20 11:38] - [2009-04-20 11:38] - 0045568 ____N (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B


    ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


    ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.


    ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.


    ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

    C:\WINDOWS\system32\vssvc.exe
    [2005-10-31 21:04] - [2007-02-16 23:09] - 0836096 ____N (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916


    ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2007-02-17 07:03] - [2007-02-17 07:03] - 0143360 ____N (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5

    C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll
    [2005-10-31 21:04] - [2007-02-17 07:03] - 0380928 ____N (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C

    C:\WINDOWS\system32\es.dll
    [2008-04-29 14:33] - [2008-04-29 14:33] - 0247296 ____N (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C

    C:\WINDOWS\system32\cryptsvc.dll
    [2007-02-17 07:02] - [2007-02-17 07:02] - 0056320 ____N (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4

    C:\WINDOWS\system32\svchost.exe
    [2007-02-17 07:04] - [2007-02-17 07:04] - 0014848 ____N (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

    C:\WINDOWS\system32\rpcss.dll
    [2009-04-25 11:57] - [2009-02-09 04:02] - 0486912 ____N (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE



    **** End of log ****

    Got to work for my company today, work on my wife's company this evening.

    Thanks for your help on this one!
  10. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Still with me?
  11. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    See GA server response
     
  12. Broni

    Broni Malware Annihilator Posts: 46,797   +254

  13. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    So this one seems OK.

    Shall I try eset on this one also? or do the clean upt programs first?
  14. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    You can cleanup first.
  15. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    This one is rebooting, ready to start:
  16. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    Here is the checkup log:
    Results of screen317's Security Check version 0.99.61
    Service Pack 2 x86
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    CCleaner
    Adobe Reader 8 Adobe Reader out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Norton ccSvcHst.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````
    A couple of days ago, the fragmentation was over 20%. It seems to do a few every night.

    Fss log:
    Farbar Service Scanner Version: 03-03-2013
    Ran by Administrator (administrator) on 17-03-2013 at 21:17:51
    Running from "F:\"
    Microsoft Windows Server 2003 Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Nsi Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
    nsiproxy Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
    Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.
    tdx Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
    Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
    Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    bfe Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0

    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.

    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Other Services:
    ==============
    Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
    Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
    Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

    File Check:
    ========
    ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.
    C:\WINDOWS\system32\Drivers\afd.sys
    [2003-03-25 05:00] - [2011-12-27 07:13] - 0150528 ____N (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B

    ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.
    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2003-03-25 05:00] - [2009-08-15 02:57] - 0393216 ____N (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3
    C:\WINDOWS\system32\dnsrslvr.dll
    [2009-04-20 11:38] - [2009-04-20 11:38] - 0045568 ____N (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B

    ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.

    ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.
    C:\WINDOWS\system32\vssvc.exe
    [2005-10-31 21:04] - [2007-02-16 23:09] - 0836096 ____N (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916

    ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2007-02-17 07:03] - [2007-02-17 07:03] - 0143360 ____N (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5
    C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll
    [2005-10-31 21:04] - [2007-02-17 07:03] - 0380928 ____N (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C
    C:\WINDOWS\system32\es.dll
    [2008-04-29 14:33] - [2008-04-29 14:33] - 0247296 ____N (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C
    C:\WINDOWS\system32\cryptsvc.dll
    [2007-02-17 07:02] - [2007-02-17 07:02] - 0056320 ____N (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4
    C:\WINDOWS\system32\svchost.exe
    [2007-02-17 07:04] - [2007-02-17 07:04] - 0014848 ____N (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682
    C:\WINDOWS\system32\rpcss.dll
    [2009-04-25 11:57] - [2009-02-09 04:02] - 0486912 ____N (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE

    **** End of log ****

    There was no log that opened after the reboot from TFC
  17. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    Ran eset, no log, but the computer was rebooted with Microsoft automatic updates during the night, and I'm not sure if the autoupdates could have interrupted the updates.
  18. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    You did fine.

    [​IMG] Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    =============================

    [​IMG] Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
    glhglh likes this.
  19. glhglh

    glhglh TS Maniac Topic Starter Posts: 438

    OK, I think this one is set.
    Thank You.
  20. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    You're very welcome [​IMG]
    glhglh likes this.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.