I did get chrome to work, but could not download the eset file ("blocked by computer").
I'll try firefox this evening, but am a bit iffy , the program that installed the Rogue on the computer used firefox.
but if we are clean, I'll delete the chrome and install the firefox.
I did run another OTL (after finding the file exception for the rogue deep in Symantec EPP)
OTL logfile created on: 3/10/2013 7:25:08 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.99 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 26.82% Memory free
4.84 Gb Paging File | 1.72 Gb Available in Paging File | 35.47% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.86 Gb Total Space | 7.22 Gb Free Space | 25.92% Space Free | Partition Type: NTFS
Drive E: | 465.64 Gb Total Space | 109.55 Gb Free Space | 23.53% Space Free | Partition Type: NTFS
Drive H: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.73% Space Free | Partition Type: FAT32
Computer Name: HEDCOGASERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2013/03/09 17:28:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work\OTL.exe
PRC - [2012/11/06 11:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/11/06 11:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2012/01/24 17:21:22 | 000,021,880 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
PRC - [2012/01/24 17:11:56 | 000,705,912 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
PRC - [2012/01/24 17:06:48 | 000,673,144 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
PRC - [2011/11/28 15:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2011/11/28 15:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2011/11/21 11:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2011/09/09 13:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2011/08/26 20:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/08/26 20:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2011/08/10 06:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2011/07/09 16:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2011/06/17 15:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe
PRC - [2011/04/08 14:50:00 | 000,051,104 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\rotatelogs.exe
PRC - [2011/04/08 14:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe
PRC - [2011/03/28 17:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bedbg.exe
PRC - [2011/02/22 18:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
PRC - [2011/02/22 18:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
PRC - [2011/02/16 05:23:48 | 000,145,152 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\jre\bin\java.exe
PRC - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/07/26 22:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe
PRC - [2010/01/27 12:22:02 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/09 12:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\store.exe
PRC - [2007/02/17 07:04:04 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe
PRC - [2007/02/17 07:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 07:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe
PRC - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/17 07:03:39 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/17 07:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2005/09/20 18:53:14 | 000,154,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
PRC - [2005/05/11 21:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
PRC - [2005/03/02 18:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe
PRC - [2004/10/18 10:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
PRC - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
PRC - [2004/10/18 10:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
PRC - [2004/10/18 10:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
PRC - [2004/10/18 10:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
PRC - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
PRC - [2004/04/02 01:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\mad.exe
PRC - [2004/04/02 01:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe
PRC - [2004/04/02 00:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\emsmta.exe
PRC - [2004/04/02 00:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\srsmain.exe
PRC - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\WinVNC.exe
========== Modules (No Company Name) ==========
MOD - [2013/02/13 04:55:01 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll
MOD - [2013/02/13 04:19:06 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2013/02/13 04:16:55 | 000,113,664 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2013/02/13 04:16:39 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2013/01/09 05:12:34 | 000,627,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad737988d5bde126a3b7770eacc51e5b\System.Transactions.ni.dll
MOD - [2013/01/09 05:11:53 | 000,627,712 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.ni.dll
MOD - [2013/01/09 05:11:53 | 000,280,064 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.Wrapper.dll
MOD - [2013/01/09 05:08:51 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll
MOD - [2013/01/09 05:05:00 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/09 05:02:59 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\8462c03b4f10c4624feb95790d6d1e30\System.Data.ni.dll
MOD - [2013/01/09 04:58:34 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/09 04:57:54 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2013/01/09 04:11:10 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2013/01/09 04:11:08 | 000,471,040 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2013/01/09 04:11:05 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2012/01/12 07:00:20 | 000,131,072 | ---- | M] () -- c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\monitoring\b414b2d0\3ba7056a\xp74unmc.dll
MOD - [2012/01/12 04:03:29 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2011/12/26 06:02:43 | 000,258,048 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
MOD - [2007/06/29 09:35:32 | 000,819,200 | ---- | M] () -- c:\windows\assembly\gac\system.web.mobile\1.0.5000.0__b03f5f7f11d50a3a\system.web.mobile.dll
MOD - [2007/06/29 09:35:20 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2007/06/29 09:35:20 | 000,135,168 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
MOD - [2007/06/29 09:35:17 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
MOD - [2007/06/29 09:35:13 | 001,703,936 | ---- | M] () -- c:\windows\assembly\gac\system.design\1.0.5000.0__b03f5f7f11d50a3a\system.design.dll
MOD - [2007/06/29 09:35:12 | 001,298,432 | ---- | M] () -- c:\windows\assembly\gac\system.data\1.0.5000.0__b77a5c561934e089\system.data.dll
MOD - [2007/06/29 09:35:10 | 001,359,872 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2007/06/29 09:35:08 | 000,057,344 | ---- | M] () -- c:\windows\assembly\gac\system.web.regularexpressions\1.0.5000.0__b03f5f7f11d50a3a\system.web.regularexpressions.dll
MOD - [2007/06/29 09:35:07 | 000,241,664 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.dll
MOD - [2007/06/29 09:35:07 | 000,090,112 | ---- | M] () -- c:\windows\assembly\gac\system.directoryservices\1.0.5000.0__b03f5f7f11d50a3a\system.directoryservices.dll
MOD - [2007/06/29 09:35:07 | 000,066,560 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.thunk.dll
MOD - [2007/06/29 09:35:06 | 000,720,896 | ---- | M] () -- c:\windows\assembly\gac\microsoft.jscript\7.0.5000.0__b03f5f7f11d50a3a\microsoft.jscript.dll
MOD - [2007/04/09 12:29:17 | 000,201,728 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\EXMIME.dll
MOD - [2007/01/31 20:51:29 | 001,088,000 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\davex.dll
MOD - [2005/10/31 13:21:37 | 000,105,080 | ---- | M] () -- c:\windows\assembly\gac\system.web.ui.mobilecontrols.adapters\1.1.0.0__b03f5f7f11d50a3a\system.web.ui.mobilecontrols.adapters.dll
MOD - [2005/09/25 17:19:16 | 000,077,824 | ---- | M] () -- c:\windows\assembly\gac\system.configuration.install\1.0.5000.0__b03f5f7f11d50a3a\system.configuration.install.dll
MOD - [2005/09/25 17:19:16 | 000,032,768 | ---- | M] () -- c:\windows\assembly\gac\microsoft.vsa\7.0.5000.0__b03f5f7f11d50a3a\microsoft.vsa.dll
MOD - [2005/09/25 17:19:16 | 000,012,288 | ---- | M] () -- c:\windows\assembly\gac\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll
MOD - [2005/09/25 17:19:16 | 000,007,680 | ---- | M] () -- c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll
MOD - [2005/09/25 17:19:16 | 000,006,144 | ---- | M] () -- c:\windows\assembly\gac\microsoft.visualc\7.0.5000.0__b03f5f7f11d50a3a\microsoft.visualc.dll
MOD - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
MOD - [2005/03/24 19:49:08 | 000,348,160 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll
MOD - [2004/10/18 10:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
MOD - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
MOD - [2004/10/18 10:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
MOD - [2004/10/18 10:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
MOD - [2004/10/18 10:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
MOD - [2004/10/11 23:52:53 | 000,619,520 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\dsaccess.DLL
MOD - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
MOD - [2004/04/01 18:15:00 | 000,063,248 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LSATQ.DLL
MOD - [2003/08/01 19:28:22 | 000,060,928 | ---- | M] () -- C:\Program Files\TightVNC\VNCHooks.dll
MOD - [2003/06/20 15:24:13 | 000,070,144 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Exosal.dll
MOD - [2003/06/03 00:20:24 | 000,084,480 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Epoxy.dll
MOD - [2003/06/03 00:20:24 | 000,028,672 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\tokenm.dll
MOD - [2003/06/02 23:12:51 | 000,192,512 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LisRTL.DLL
========== Services (SafeList) ==========
SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe -- (Smcinst)
SRV - [2012/11/06 11:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/11/06 11:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2012/01/24 17:21:22 | 000,021,880 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe -- (APC Data Service)
SRV - [2012/01/24 17:11:56 | 000,705,912 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2011/11/28 15:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2011/11/28 15:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2011/11/21 11:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2011/10/11 12:49:00 | 000,124,272 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- E:\Program Files\Symantec\Backup Exec\BackupExecManagementService.exe -- (BackupExecManagementService)
SRV - [2011/09/09 13:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2011/08/26 20:26:54 | 000,280,496 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/08/26 20:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/08/26 20:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011/08/10 06:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS)
SRV - [2011/07/09 16:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2011/06/17 15:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2011/05/03 18:27:16 | 003,114,424 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2011/04/08 14:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe -- (semwebsrv)
SRV - [2011/03/28 17:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bedbg.exe -- (bedbg)
SRV - [2011/02/22 18:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe -- (DLOMaintenanceSvc)
SRV - [2011/02/22 18:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe -- (DLOAdminSvcu)
SRV - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/07/26 22:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe -- (SQLANYs_sem5)
SRV - [2007/04/09 12:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\store.exe -- (MSExchangeIS)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:58 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 07:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)
SRV - [2007/02/17 07:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 07:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 07:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/17 07:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/17 07:02:54 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2005/07/22 10:08:50 | 000,040,960 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\SD3Service.exe -- (Supero SD3Service Daemon)
SRV - [2005/07/22 10:02:34 | 000,131,072 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\NTService.exe -- (SuperMicro Health Assistant)
SRV - [2005/05/11 21:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)
SRV - [2005/05/11 21:45:23 | 000,050,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2005/05/11 21:45:23 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2005/04/29 17:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)
SRV - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () [Auto | Running] -- C:\Program Files\3ware\3DM2\3dm2.exe -- (3DM2)
SRV - [2005/03/02 18:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe -- (BMISFA)
SRV - [2005/01/25 19:25:38 | 000,042,776 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\XFR.EXE -- (Intel File Transfer)
SRV - [2005/01/25 19:24:30 | 000,059,168 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\IAO.EXE -- (Intel Alert Originator)
SRV - [2005/01/25 19:24:10 | 000,038,696 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler)
SRV - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe -- (gamscm)
SRV - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\SpySer.exe -- (SpySer)
SRV - [2004/04/02 01:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\mad.exe -- (MSExchangeSA)
SRV - [2004/04/02 01:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2004/04/02 00:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\emsmta.exe -- (MSExchangeMTA)
SRV - [2004/04/02 00:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\srsmain.exe -- (MSExchangeSRS)
SRV - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2003/06/03 00:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Exchsrvr\bin\events.exe -- (MSExchangeES)
SRV - [2001/06/06 11:12:02 | 000,552,960 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\xitami\xiwinnt.exe -- (Xitami)
========== Driver Services (SafeList) ==========
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - [2013/02/26 12:49:04 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130310.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/02/26 12:49:04 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130310.007\NAVENG.SYS -- (NAVENG)
DRV - [2013/02/26 12:49:03 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013/02/26 12:49:03 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013/01/29 14:06:07 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/11/06 11:55:23 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/09/04 21:34:32 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/08/26 20:51:30 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/26 20:29:38 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/08/26 20:29:34 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2011/08/26 20:29:32 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
DRV - [2011/08/26 20:29:28 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/08/26 20:29:28 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2011/08/26 20:29:26 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/08/26 20:27:34 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2011/08/24 08:42:50 | 000,124,536 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2011/03/14 07:53:42 | 000,229,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2010/09/07 18:34:00 | 000,028,848 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2010/01/27 12:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/01/27 12:22:02 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/08/23 23:00:00 | 000,020,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2007/02/16 23:29:40 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/16 23:06:42 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/16 23:02:56 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/16 22:56:08 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/16 22:51:18 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2005/09/26 14:37:02 | 000,071,168 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\3wareDrv.sys -- (3wareDrv)
DRV - [2005/06/22 12:23:18 | 000,009,984 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\smbus.sys -- (SMBus)
DRV - [2005/01/07 10:03:12 | 000,192,292 | ---- | M] (LSI Logic Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\MegaIDE.sys -- (MegaIDE)
DRV - [2004/06/24 17:38:28 | 000,010,752 | R--- | M] (Intel (R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\svgam.sys -- (svgam)
DRV - [2004/06/10 14:28:58 | 000,014,174 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\SUPERBMC.SYS -- (superbmc)
DRV - [2004/04/02 00:08:21 | 000,195,968 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)
DRV - [2001/06/20 05:05:54 | 000,003,853 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\IsaIoNt.sys -- (ISAIONT)
DRV - [2000/11/12 07:14:18 | 000,003,908 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\memmapnt.sys -- (MemMapNt)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =
http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL =
http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes,DefaultScope = {9630FDCF-65AA-45F7-94F3-933E886905E1}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =
http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{84154F03-8976-40C7-912E-621E1193AD1D}: "URL" =
http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{9630FDCF-65AA-45F7-94F3-933E886905E1}: "URL" =
http://www.google.com/search?q={sea...tartIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2013/03/10 00:43:08 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2005/05/11 21:45:23 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O4 - HKLM..\Run: [Display] C:\Program Files\APC\PowerChute Personal Edition\DataCollectionLauncher.exe (Schneider Electric)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe (Constantin Kaplinsky)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)
O4 - Startup: C:\Documents and Settings\backup_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\symantec_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533}
https://support.microsoft.com/dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF}
http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab (DownloadManager Control)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345}
https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146765840875 (MUWebControl Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE}
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Housecall ActiveX 6.5)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850}
http://hedcogaserver/tsweb/msrdp.cab (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}
http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
https://symantec.webex.com/client/T26L/support/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}
https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hedrick.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5DDD41BD-9193-4897-93B5-2A6887F38683}: NameServer = 192.168.1.5
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/25 17:23:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2013/03/09 16:09:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work
[2013/03/09 14:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\RK_Quarantine
[2013/03/09 12:42:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/03/09 12:42:16 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/03/09 12:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2013/02/24 15:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\MassSender
[2013/02/20 04:34:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2013/02/20 04:33:50 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/02/12 20:54:31 | 000,630,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2013/02/12 20:54:30 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2013/02/12 20:54:29 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2013/02/12 20:54:29 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2013/02/12 20:54:26 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2013/02/12 20:54:21 | 001,212,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2013/02/12 20:54:01 | 006,010,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2012/02/25 00:05:34 | 000,019,832 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\zh_res.dll
[2011/11/16 14:45:59 | 013,923,704 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\PCPE Setup.exe
[2011/11/16 14:45:59 | 001,079,808 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\mfc80u.dll
[2011/11/16 14:45:59 | 000,626,688 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\msvcr80.dll
[2011/11/16 14:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\grm_res.dll
[2011/11/16 14:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\fr_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\pt_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\it_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\es_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\en_res.dll
[2011/11/16 14:45:59 | 000,020,856 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\ru_res.dll
[2011/11/16 14:45:59 | 000,020,344 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\jp_res.dll
========== Files - Modified Within 30 Days ==========
[2013/03/10 19:25:11 | 000,002,584 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2013/03/10 18:54:13 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Collect Server Performance Data.job
[2013/03/10 06:08:31 | 000,004,768 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2013/03/10 06:01:11 | 000,000,562 | ---- | M] () -- C:\WINDOWS\tasks\Small Business Server - Server Status Report - Server Performance Report.job
[2013/03/10 04:31:53 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Collect Usage Data.job
[2013/03/10 01:09:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/03/10 00:59:49 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\ROC_JAN2013_TB_rmv.job
[2013/03/10 00:59:19 | 000,013,744 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/03/10 00:56:04 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2013/03/10 00:41:16 | 3211,243,520 | -HS- | M] () -- C:\hiberfil.sys
[2013/03/09 12:42:29 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 12:13:20 | 000,001,515 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/03/08 13:06:02 | 000,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a5a4616e-2ee7-11da-95a6-806e6f6e6963}.job
[2013/03/08 13:05:04 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{b59eb2dc-2dd0-11da-80e0-806e6f6e6963}.job
[2013/02/19 20:54:21 | 000,001,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2013/02/14 05:24:47 | 000,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/14 04:33:04 | 000,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/13 04:25:24 | 001,107,520 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/13 04:25:24 | 000,316,212 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
========== Files Created - No Company Name ==========
[2013/03/09 12:42:29 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 12:13:17 | 000,001,515 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/02/22 04:49:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/09 05:15:02 | 000,132,832 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/08/17 09:11:07 | 000,060,304 | ---- | C] () -- C:\Documents and Settings\Administrator\g2mdlhlpx.exe
[2012/08/17 09:05:09 | 000,002,871 | ---- | C] () -- C:\Documents and Settings\Administrator\.plugin141_05.trace
[2011/11/16 14:46:05 | 013,338,112 | ---- | C] () -- C:\Documents and Settings\Administrator\PCPE_3.0.1.msi
[2011/11/16 14:45:59 | 000,018,808 | ---- | C] () -- C:\Documents and Settings\Administrator\ResourceReader.dll
[2011/07/06 14:38:29 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/06/20 14:28:14 | 000,036,060 | ---- | C] () -- C:\WINDOWS\System32\BEPerfDll.ini
[2008/02/22 15:58:52 | 000,017,090 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2005/10/31 12:35:21 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/10/31 11:57:05 | 000,004,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
========== ZeroAccess Check ==========
[2005/09/25 17:19:11 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2007/12/21 15:28:05 | 001,508,352 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 04:02:57 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2007/02/17 07:03:19 | 000,278,016 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
< End of report >
I have accounted for all of the IP addresses from this, the two I was worried about are her voip phones. 192.168.1.201 & 202.