Solved Clone Mailer/craigslistmailer invasion from Mars.

G

glhglh

Posts: 701   +0
Broni, the virus' you helped me with a couple of weeks ago, from my brotherinlaw's notebook, spread to our old server 2003. It filled the C: drive completely. windows uninstaller could not load, but I was able to use the tools in an old crapcleaner to clean enough space to load mbam, and start a scan. I'll post that as soon as it is complete, but am including some information I noticed:

These items have been loaded in the past 4 weeks, but not because we wanted to load it:
Microsoft.NETframwork 2.0 service pack 2 (this might just be the normal MS update)
Liveupdate 3.3 symantec (this might just be the normal MS update, or they may have hijacked it to eliminate End Point from updating)
Mozilla Maintenance Service 13.0.1 (this was also on Randy's notebook, and not loaded by us)
Mozilla Firefox 13.0.1 (this was also on Randy's notebook, and not loaded by us)
Advanced Mass Sender 4.3 (a couple of days ago) (this was also on Randy's notebook, and not loaded by us)
and VirtualCloneDrive from Elaborate Bytes (a couple of days ago) (this was also on Randy's notebook, and not loaded by us)

Also, when looking at the Task Manager, there is a user "Randy" (I disconnected this user, but Looking at the running processes, these below are still running), (you helped me clean Randy's computer two weeks ago, but somehow, his infections got to our server and set upt a user "randy". When we were working on his computer, I deleted all of the stuff in a "randy" subdirectory on this server (about 7 gigs worth), but nothing else. in the last two weeks, the user is back, and the driver is full again.

looking at the running processes theses processes are running under "Randy" user:

Logmeinsystry.exe
explorer.exe
craigslistmailer.1.7.2.exe (This was on his also)
ctfmon.exe
rdpclip.exe
notepad.exe
Craigslistmailer.exe
sqlmangr.exe
apcsystray.exe
notepad.exe
ccSvchst.exe
ipoint.exe
notepad.exe
notepad.exe
firefox.exe
notepad.exe
Craigslistemailharvesterpro.1.4.4.exe
notepad.exe

the programs I deleted using CC are:
Mozilla Maintenance Service 13.0.1
Mozilla Firefox 13.0.1
Advanced Mass Sender 4.3
and VirtualCloneDrive from Elaborate Bytes

but I did not reboot, because I did not want them to regenerate untill we were able to do some work on it.

The Mbam log is clean:
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.09.10
Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HEDCOGASERVER [administrator]
3/9/2013 11:44:29 AM
mbam-log-2013-03-09 (11-44-29).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 313313
Time elapsed: 13 minute(s), 12 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
But I know that Mbam is a liar.

DSS said it would not run on Server 2003

Are there some tools that might work?
 
I was also going to say that I can unplug this computer from the network for a while, but it acts as our dhcp so after a while, we will need it. I think they are getting to us through our wifi, which is down the line from the wired modem, then router, then switchbox. A couple of weeks ago I couldn't get to the Belkin router/wireless (used as an access point) I change settings on our browser, so I reset it, changed it's ip address, and changed all the passwords. Starting on the 9th, I could no longer get to that wifi access point that way. This time, I'm changing to MAC addresses only.
 
Let's see what tools we can get to run on your server...

redtarget.gif
Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
Right as I tried to post this log, your sigt went down. I forgot what I wrote to introduce this RogueKiller log, but in short, we have two servers. They are supposed to be seperate, and I didn't think there might be a problem with the second. The server this log is from is "hedcogaserver" and the other is "Hedcodserver", supposidly just for her clients' data.

RogueKiller ran all the way through, then when I deleted the "bad processes below in Notepad.exe", it started to run again. This log is from the 5th time I followed the process (are those logs somewhere on the computer?

anyway, after the 5th time through this process, I ran a report and this is the log from that time. Then I hit delete, and it started again.

I haven't started mbar on the GA server yet.

While waiting for the process, I ran Rogue Killer on the Data server. It ran once, and I started mbar on it, but I think I should start a new ticket for that one, right?

the 5th log:


RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP 64 / Windows Home Server / Windows Server 2003 (5.2.3790 Service Pack 2) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 03/09/2013 13:53:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 6 ¤¤¤
[Microsoft][HJNAME] notepad.exe -- C:\WINDOWS\system32\notepad.exe [7] -> KILLED [TermProc]
[Microsoft][HJNAME] notepad.exe -- C:\WINDOWS\system32\notepad.exe [7] -> KILLED [TermProc]
[Microsoft][HJNAME] notepad.exe -- C:\WINDOWS\system32\notepad.exe [7] -> KILLED [TermProc]
[Microsoft][HJNAME] notepad.exe -- C:\WINDOWS\system32\notepad.exe [7] -> KILLED [TermProc]
[Microsoft][HJNAME] notepad.exe -- C:\WINDOWS\system32\notepad.exe [7] -> KILLED [TermProc]
[Microsoft][HJNAME] notepad.exe -- C:\WINDOWS\system32\notepad.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x8094F21A -> HOOKED (Unknown @ 0x8A3514D0)
SSDT[14] : NtAlertThread @ 0x8094F1CA -> HOOKED (Unknown @ 0x8A3515B0)
SSDT[18] : NtAllocateVirtualMemory @ 0x80843EA6 -> HOOKED (Unknown @ 0x8A5FCB80)
SSDT[21] : NtAssignProcessToJobObject @ 0x80951714 -> HOOKED (Unknown @ 0x8A33BA60)
SSDT[33] : NtConnectPort @ 0x809202D8 -> HOOKED (Unknown @ 0x89E7EF50)
SSDT[45] : NtCreateMutant @ 0x80994804 -> HOOKED (Unknown @ 0x8A351220)
SSDT[54] : NtCreateSymbolicLinkObject @ 0x8093D6BA -> HOOKED (Unknown @ 0x8A33B880)
SSDT[55] : NtCreateThread @ 0x8094AE46 -> HOOKED (Unknown @ 0x896F8038)
SSDT[59] : NtDebugActiveProcess @ 0x809A186A -> HOOKED (Unknown @ 0x8A33BB40)
SSDT[71] : NtDuplicateObject @ 0x8093629A -> HOOKED (Unknown @ 0x8A670668)
SSDT[87] : NtFreeVirtualMemory @ 0x80857640 -> HOOKED (Unknown @ 0x8A14B790)
SSDT[93] : NtImpersonateAnonymousToken @ 0x80974910 -> HOOKED (Unknown @ 0x8A351310)
SSDT[95] : NtImpersonateThread @ 0x809525E2 -> HOOKED (Unknown @ 0x8A3513F0)
SSDT[101] : NtLoadDriver @ 0x808FA04E -> HOOKED (Unknown @ 0x8A4483C8)
SSDT[113] : NtMapViewOfSection @ 0x8092D4AC -> HOOKED (Unknown @ 0x8A33D2A8)
SSDT[120] : NtOpenEvent @ 0x8098BBE6 -> HOOKED (Unknown @ 0x8A351140)
SSDT[128] : LdrShutdownThread @ 0x80944A68 -> HOOKED (Unknown @ 0x8A1B9928)
SSDT[129] : NtOpenProcessToken @ 0x80968E04 -> HOOKED (Unknown @ 0x8A60A808)
SSDT[131] : NtOpenSection @ 0x809268C6 -> HOOKED (Unknown @ 0x8A33BD68)
SSDT[134] : NtOpenThread @ 0x80944CF6 -> HOOKED (Unknown @ 0x89FC9350)
SSDT[143] : NtProtectVirtualMemory @ 0x80931D92 -> HOOKED (Unknown @ 0x8A33B970)
SSDT[214] : NtResumeThread @ 0x8094F058 -> HOOKED (Unknown @ 0x8A351670)
SSDT[221] : NtSetContextThread @ 0x8094CA2A -> HOOKED (Unknown @ 0x896F4110)
SSDT[237] : NtSetInformationProcess @ 0x8094792A -> HOOKED (Unknown @ 0x8979B838)
SSDT[249] : NtSetSystemInformation @ 0x8098DB5E -> HOOKED (Unknown @ 0x8A33BC20)
SSDT[262] : NtSuspendProcess @ 0x8094F11E -> HOOKED (Unknown @ 0x8A351060)
SSDT[263] : NtSuspendThread @ 0x8094EF94 -> HOOKED (Unknown @ 0x8979B5F0)
SSDT[266] : NtTerminateProcess @ 0x8094C0AC -> HOOKED (Unknown @ 0x8A33CE10)
SSDT[267] : NtTerminateThread @ 0x8094C2B8 -> HOOKED (Unknown @ 0x8979B6D0)
SSDT[277] : NtUnmapViewOfSection @ 0x809234AE -> HOOKED (Unknown @ 0x896F4148)
SSDT[287] : NtWriteVirtualMemory @ 0x8092F23E -> HOOKED (Unknown @ 0x8A243840)
S_SSDT[306] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A3321D0)
S_SSDT[382] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A6B8D98)
S_SSDT[413] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A4B2AD8)
S_SSDT[415] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A33A9B0)
S_SSDT[427] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x895A4138)
S_SSDT[459] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A2B0790)
S_SSDT[474] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A0BF0E0)
S_SSDT[475] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8960A3E0)
S_SSDT[545] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x895F57C0)
S_SSDT[548] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x89605E88)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: LSI MegaIDE #00 SCSI Disk Device +++++
--- User ---
[MBR] 901b202174f07b6f8116da694ab95b18
[BSP] 6873910c330c6c572503b18ced8bde54 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 28529 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: AMCC 9500S- B0:Drv00a SCSI Disk Device +++++
--- User ---
[MBR] 5876689f11ddee9141afbf2a5c770b5f
[BSP] bddde38683cf9cc4361b98f190dc3946 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476811 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: Seagate FreeAgent GoFlex USB Device +++++
--- User ---
[MBR] ef2a18ac34e78e3cd92470a4b641ed62
[BSP] a048b73f78a92639ec28a0b541c72226 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] de79b0a6ba136ca530d3978bc047a5be
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 16208 | Size: 15326 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[5]_D_03092013_02d1353.txt >>
RKreport[1]_S_03092013_02d1324.txt ; RKreport[2]_D_03092013_02d1328.txt ; RKreport[3]_D_03092013_02d1339.txt ; RKreport[4]_D_03092013_02d1344.txt ; RKreport[5]

_D_03092013_02d1353.txt

The PhysicalDrive2 (F:) is the backup disk. should I take it out?
The physicaldrive3 is the usb I'm using to put the downloaded programs from you, and save the logs to.

are the LL1 & LL2 users? and because I logged the "Randy" user off, the LL2 MBR has an error reading?
 
Mbar created two logs:
Mbar system:
Malwarebytes Anti-Rootkit BETA 1.01.0.1021

(c) Malwarebytes Corporation 2011-2012

OS version: 5.2.3790 Windows Server 2003 Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 3.200000 GHz
Memory total: 3211132928, free: 609927168

------------ Kernel report ------------
03/09/2013 15:11:26
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
volsnap.sys
PartMgr.sys
atapi.sys
MegaIDE.sys
\WINDOWS\system32\drivers\SCSIPORT.SYS
3wareDrv.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
SYMDS.SYS
SYMEFA.SYS
Dfs.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
crcdisk.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\svgam.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\watchdog.sys
\SystemRoot\system32\DRIVERS\b57xp32.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\point32.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\VClone.sys
\SystemRoot\system32\DRIVERS\teefer.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\Drivers\superbmc.SYS
\SystemRoot\System32\Drivers\SMBus.SYS
\SystemRoot\System32\DRIVERS\scsichng.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\MemMapNt.SYS
\SystemRoot\System32\Drivers\ISAIONT.SYS
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_MegaIDE.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\svgad.dll
\SystemRoot\System32\ATMFD.DLL
\??\C:\WINDOWS\system32\drivers\exifs.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\DRIVERS\VirtFile.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
\SystemRoot\System32\Drivers\TDTCP.SYS
\SystemRoot\System32\Drivers\RDPWD.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\RDPDD.dll
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSxpx86.sys
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVEX15.SYS
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVENG.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR18
Upper Device Object: 0xffffffff86d50858
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000090\
Lower Device Object: 0xffffffff875c2ea0
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR14
Upper Device Object: 0xffffffff8a44cab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000008c\
Lower Device Object: 0xffffffff890266e0
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8ab40ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\3wareDrv1Port3Path0Target0Lun0\
Lower Device Object: 0xffffffff8ab42030
Lower Device Driver Name: \Driver\3wareDrv\
Driver name found: 3wareDrv
Initialization returned 0x0
Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8ab40030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\MegaIDE1Port2Path0Target4Lun0\
Lower Device Object: 0xffffffff8ab44030
Lower Device Driver Name: \Driver\MegaIDE\
Driver name found: MegaIDE
Initialization returned 0x0
Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.03.09.13
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8ab40030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ab45798, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ab40030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ab44030, DeviceName: \Device\Scsi\MegaIDE1Port2Path0Target4Lun0\, DriverName: \Driver\MegaIDE\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe790d500, 0xffffffff8ab40030, 0xffffffff86d763c0
Lower DeviceData: 0xffffffffe6900bc0, 0xffffffff8ab44030, 0xffffffff876b9650
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C989C989

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 58428342
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 29930553344 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-58438112-58458112)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8ab40ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ab45570, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ab40ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ab42030, DeviceName: \Device\Scsi\3wareDrv1Port3Path0Target0Lun0\, DriverName: \Driver\3wareDrv\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe6ffdae8, 0xffffffff8ab40ab8, 0xffffffff8815d418
Lower DeviceData: 0xffffffffe1a12068, 0xffffffff8ab42030, 0xffffffff87012130
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: B72C615B

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 976510962

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 499977814016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff8a44cab8, DeviceName: \Device\Harddisk2\DR14\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff88589df8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a44cab8, DeviceName: \Device\Harddisk2\DR14\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff890266e0, DeviceName: \Device\0000008c\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR14\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe58ab720, 0xffffffff8a44cab8, 0xffffffff86d84818
Lower DeviceData: 0xffffffffe684b728, 0xffffffff890266e0, 0xffffffff87aef200
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 490423C6

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 976768002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107861504 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 3, DevicePointer: 0xffffffff86d50858, DeviceName: \Device\Harddisk3\DR18\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87b34658, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86d50858, DeviceName: \Device\Harddisk3\DR18\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff875c2ea0, DeviceName: \Device\00000090\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk3\DR18\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe72dfb30, 0xffffffff86d50858, 0xffffffff89813ab8
Lower DeviceData: 0xffffffffe10ec768, 0xffffffff875c2ea0, 0xffffffff87fa4708
Drive 3
Scanning MBR on drive 3...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18

Partition information:

Partition 0 type is Other (0xc)
Partition is ACTIVE.
Partition starts at LBA: 16208 Numsec = 31389616
Partition file system is FAT32
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 16079781888 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Done!
Scan finished
 
And the Mbar log:
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.09.13

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HEDCOGASERVER [administrator]

3/9/2013 3:54:35 PM
mbar-log-2013-03-09 (15-54-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 27146
Time elapsed: 42 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
redtarget.gif
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

redtarget.gif
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Will Combofix work on SBS Server 2003?

I see this: [FONT=arial]If you just want to know what applications will run on Windows Server 2003, it would have been better to post your question in the Software Forum. However tools like SUPERAntiSpyware, Malwarebytes, AVG, Avira, Avast, [/FONT][FONT=arial][FONT=inherit][FONT=inherit]PC[/FONT][/FONT][/FONT][FONT=arial] Tools AntiVirus, Comodo all work on Windows Server 2003.[/FONT]

[FONT=arial]Oh and MGTools from our cleaning procedure also runs on Windows Server 2003, but you have to know what to do with the logs it provides and how to manually remove anything that is shown in the logs. [/FONT]
 
It won't. Sorry about it.

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Thanks, I think I found that noone came out and specifically said that it would not work, but most of the threads in the my search had people work around it.

I'll do OTL on both servers.

Bye-the-way What does Broni mean?
 
The first time I ran it, I had the usbdrive in this computer, and there were no logs, otl or extras so I reran the OTL and after a long time, only got an OTL log, but no extras.txt. I searched the computer, but nothing there. IO see a lot of the bad items, Craigsl9istemailharvester/craigslistmailer/firefox (we did not install it). Got to get rid of the randy.hedrick user and everything in it, and the ill gotten fruits of it.

here is the otl:

OTL logfile created on: 3/9/2013 7:05:17 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = H:\GAServer
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 0.44 Gb Available Physical Memory | 14.79% Memory free
6.02 Gb Paging File | 1.60 Gb Available in Paging File | 26.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.86 Gb Total Space | 0.89 Gb Free Space | 3.20% Space Free | Partition Type: NTFS
Drive E: | 465.64 Gb Total Space | 97.01 Gb Free Space | 20.83% Space Free | Partition Type: NTFS
Drive H: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.74% Space Free | Partition Type: FAT32

Computer Name: HEDCOGASERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found --
PRC - [2013/03/09 17:28:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- H:\GAServer\OTL.exe
PRC - [2013/02/22 03:49:25 | 000,187,904 | ---- | M] (www.CraigslistEmailHarvester.com) -- C:\Documents and Settings\randy.HEDRICK\My Documents\Downloads\CraigslistEmailHarvesterPro.1.4.4.exe
PRC - [2013/02/21 09:34:07 | 000,106,496 | ---- | M] (http://CraigslistEmailHarvester.com) -- C:\Documents and Settings\randy.HEDRICK\My Documents\Downloads\CraigslistMailer.1.7.0.2_32\CraigslistMailer.1.7.0.2_32\CraigslistMailer.1.7.0.2.exe
PRC - [2013/02/21 09:11:33 | 000,151,040 | ---- | M] (http://CraigslistEmailHarvester.com) -- C:\Documents and Settings\randy.HEDRICK\My Documents\Downloads\CraigslistMailer.2.0.1.0_32\CraigslistMailer.2.0.1.0_32\CraigslistMailer2.0.1.0_32\CraigslistMailer.exe
PRC - [2012/11/06 10:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/11/06 10:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/01/30 04:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2012/01/24 16:21:22 | 000,021,880 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
PRC - [2012/01/24 16:11:56 | 000,705,912 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
PRC - [2012/01/24 16:06:48 | 000,673,144 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
PRC - [2011/11/28 14:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2011/11/28 14:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2011/11/21 10:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2011/09/09 12:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2011/08/26 19:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/08/26 19:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2011/08/10 05:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2011/07/09 15:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2011/06/17 14:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe
PRC - [2011/04/08 13:50:00 | 000,051,104 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\rotatelogs.exe
PRC - [2011/04/08 13:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe
PRC - [2011/03/28 16:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bedbg.exe
PRC - [2011/02/22 17:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
PRC - [2011/02/22 17:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
PRC - [2011/02/16 04:23:48 | 000,145,152 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\jre\bin\java.exe
PRC - [2010/11/08 12:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/07/26 21:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe
PRC - [2010/01/27 11:22:02 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/09 11:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\store.exe
PRC - [2007/02/17 06:04:04 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 06:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe
PRC - [2007/02/17 06:03:56 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 06:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 06:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe
PRC - [2007/02/17 06:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/17 06:03:39 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/17 06:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2005/09/20 17:53:14 | 000,154,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
PRC - [2005/05/11 20:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2005/05/11 20:45:23 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scrnsave.scr
PRC - [2005/04/05 12:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
PRC - [2005/03/02 17:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe
PRC - [2004/10/18 09:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
PRC - [2004/10/18 09:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
PRC - [2004/10/18 09:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
PRC - [2004/10/18 09:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
PRC - [2004/10/18 09:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
PRC - [2004/10/11 11:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
PRC - [2004/04/02 00:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\mad.exe
PRC - [2004/04/02 00:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe
PRC - [2004/04/01 23:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\emsmta.exe
PRC - [2004/04/01 23:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\srsmain.exe
PRC - [2003/08/01 18:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\WinVNC.exe


========== Modules (No Company Name) ==========

MOD - [2013/02/13 03:55:01 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll
MOD - [2013/02/13 03:34:39 | 012,433,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ba12e418b906593b7c9c18f971f36bf9\System.Windows.Forms.ni.dll
MOD - [2013/02/13 03:19:06 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2013/02/13 03:16:55 | 000,113,664 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2013/02/13 03:16:39 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2013/01/09 04:12:34 | 000,627,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad737988d5bde126a3b7770eacc51e5b\System.Transactions.ni.dll
MOD - [2013/01/09 04:11:53 | 000,627,712 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.ni.dll
MOD - [2013/01/09 04:11:53 | 000,280,064 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.Wrapper.dll
MOD - [2013/01/09 04:08:51 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll
MOD - [2013/01/09 04:06:38 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\cbee94ec6a0fe649e3b4643cea6e1259\Accessibility.ni.dll
MOD - [2013/01/09 04:05:00 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/09 04:04:08 | 001,593,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\7782f356a838c403b4a8e9c80df5a577\System.Drawing.ni.dll
MOD - [2013/01/09 04:02:59 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\8462c03b4f10c4624feb95790d6d1e30\System.Data.ni.dll
MOD - [2013/01/09 04:02:28 | 002,295,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\edbf4e4a55e63b9fbf0b0b40cba13063\System.Core.ni.dll
MOD - [2013/01/09 03:58:34 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/09 03:57:54 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2013/01/09 03:11:10 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2013/01/09 03:11:08 | 000,471,040 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2013/01/09 03:11:05 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2012/01/12 06:00:20 | 000,131,072 | ---- | M] () -- c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\monitoring\b414b2d0\3ba7056a\xp74unmc.dll
MOD - [2012/01/12 03:03:29 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2011/12/26 05:02:43 | 000,258,048 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
MOD - [2007/06/29 08:35:32 | 000,819,200 | ---- | M] () -- c:\windows\assembly\gac\system.web.mobile\1.0.5000.0__b03f5f7f11d50a3a\system.web.mobile.dll
MOD - [2007/06/29 08:35:20 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2007/06/29 08:35:20 | 000,135,168 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
MOD - [2007/06/29 08:35:17 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
MOD - [2007/06/29 08:35:13 | 001,703,936 | ---- | M] () -- c:\windows\assembly\gac\system.design\1.0.5000.0__b03f5f7f11d50a3a\system.design.dll
MOD - [2007/06/29 08:35:12 | 001,298,432 | ---- | M] () -- c:\windows\assembly\gac\system.data\1.0.5000.0__b77a5c561934e089\system.data.dll
MOD - [2007/06/29 08:35:10 | 001,359,872 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2007/06/29 08:35:08 | 000,057,344 | ---- | M] () -- c:\windows\assembly\gac\system.web.regularexpressions\1.0.5000.0__b03f5f7f11d50a3a\system.web.regularexpressions.dll
MOD - [2007/06/29 08:35:07 | 000,241,664 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.dll
MOD - [2007/06/29 08:35:07 | 000,090,112 | ---- | M] () -- c:\windows\assembly\gac\system.directoryservices\1.0.5000.0__b03f5f7f11d50a3a\system.directoryservices.dll
MOD - [2007/06/29 08:35:07 | 000,066,560 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.thunk.dll
MOD - [2007/06/29 08:35:06 | 000,720,896 | ---- | M] () -- c:\windows\assembly\gac\microsoft.jscript\7.0.5000.0__b03f5f7f11d50a3a\microsoft.jscript.dll
MOD - [2007/04/09 11:29:17 | 000,201,728 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\EXMIME.dll
MOD - [2007/01/31 19:51:29 | 001,088,000 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\davex.dll
MOD - [2005/10/31 12:21:37 | 000,105,080 | ---- | M] () -- c:\windows\assembly\gac\system.web.ui.mobilecontrols.adapters\1.1.0.0__b03f5f7f11d50a3a\system.web.ui.mobilecontrols.adapters.dll
MOD - [2005/09/25 16:19:16 | 000,077,824 | ---- | M] () -- c:\windows\assembly\gac\system.configuration.install\1.0.5000.0__b03f5f7f11d50a3a\system.configuration.install.dll
MOD - [2005/09/25 16:19:16 | 000,032,768 | ---- | M] () -- c:\windows\assembly\gac\microsoft.vsa\7.0.5000.0__b03f5f7f11d50a3a\microsoft.vsa.dll
MOD - [2005/09/25 16:19:16 | 000,012,288 | ---- | M] () -- c:\windows\assembly\gac\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll
MOD - [2005/09/25 16:19:16 | 000,007,680 | ---- | M] () -- c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll
MOD - [2005/09/25 16:19:16 | 000,006,144 | ---- | M] () -- c:\windows\assembly\gac\microsoft.visualc\7.0.5000.0__b03f5f7f11d50a3a\microsoft.visualc.dll
MOD - [2005/05/11 20:45:23 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2005/04/05 12:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
MOD - [2005/03/24 18:49:08 | 000,348,160 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll
MOD - [2004/10/18 09:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
MOD - [2004/10/18 09:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
MOD - [2004/10/18 09:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
MOD - [2004/10/18 09:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
MOD - [2004/10/18 09:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
MOD - [2004/10/11 22:52:53 | 000,619,520 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\dsaccess.DLL
MOD - [2004/10/11 11:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
MOD - [2004/04/01 17:15:00 | 000,063,248 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LSATQ.DLL
MOD - [2003/08/01 18:28:22 | 000,060,928 | ---- | M] () -- C:\Program Files\TightVNC\VNCHooks.dll
MOD - [2003/06/20 14:24:13 | 000,070,144 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Exosal.dll
MOD - [2003/06/02 23:20:24 | 000,084,480 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Epoxy.dll
MOD - [2003/06/02 23:20:24 | 000,028,672 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\tokenm.dll
MOD - [2003/06/02 22:12:51 | 000,192,512 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LisRTL.DLL


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe -- (Smcinst)
SRV - [2012/11/06 10:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/11/06 10:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/01/30 04:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2012/01/24 16:21:22 | 000,021,880 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe -- (APC Data Service)
SRV - [2012/01/24 16:11:56 | 000,705,912 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2011/11/28 14:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2011/11/28 14:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2011/11/21 10:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2011/10/11 11:49:00 | 000,124,272 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- E:\Program Files\Symantec\Backup Exec\BackupExecManagementService.exe -- (BackupExecManagementService)
SRV - [2011/09/09 12:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2011/08/26 19:26:54 | 000,280,496 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/08/26 19:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/08/26 19:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011/08/10 05:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS)
SRV - [2011/07/09 15:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2011/06/17 14:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2011/05/03 17:27:16 | 003,114,424 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2011/04/08 13:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe -- (semwebsrv)
SRV - [2011/03/28 16:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bedbg.exe -- (bedbg)
SRV - [2011/02/22 17:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe -- (DLOMaintenanceSvc)
SRV - [2011/02/22 17:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe -- (DLOAdminSvcu)
SRV - [2010/11/08 12:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/07/26 21:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe -- (SQLANYs_sem5)
SRV - [2007/04/09 11:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\store.exe -- (MSExchangeIS)
SRV - [2007/02/17 06:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 06:03:58 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 06:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)
SRV - [2007/02/17 06:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 06:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 06:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 06:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC)
SRV - [2007/02/17 06:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)
SRV - [2007/02/17 06:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)
SRV - [2007/02/17 06:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc)
SRV - [2007/02/17 06:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)
SRV - [2007/02/17 06:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/17 06:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/17 06:02:54 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2005/07/22 09:08:50 | 000,040,960 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\SD3Service.exe -- (Supero SD3Service Daemon)
SRV - [2005/07/22 09:02:34 | 000,131,072 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\NTService.exe -- (SuperMicro Health Assistant)
SRV - [2005/05/11 20:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)
SRV - [2005/05/11 20:45:23 | 000,050,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2005/05/11 20:45:23 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2005/04/29 16:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)
SRV - [2005/04/05 12:40:30 | 001,228,800 | ---- | M] () [Auto | Running] -- C:\Program Files\3ware\3DM2\3dm2.exe -- (3DM2)
SRV - [2005/03/02 17:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe -- (BMISFA)
SRV - [2005/01/25 18:25:38 | 000,042,776 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\XFR.EXE -- (Intel File Transfer)
SRV - [2005/01/25 18:24:30 | 000,059,168 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\IAO.EXE -- (Intel Alert Originator)
SRV - [2005/01/25 18:24:10 | 000,038,696 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler)
SRV - [2004/10/18 09:35:50 | 000,073,266 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe -- (gamscm)
SRV - [2004/10/11 11:19:22 | 000,266,240 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\SpySer.exe -- (SpySer)
SRV - [2004/04/02 00:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\mad.exe -- (MSExchangeSA)
SRV - [2004/04/02 00:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2004/04/01 23:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\emsmta.exe -- (MSExchangeMTA)
SRV - [2004/04/01 23:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\srsmain.exe -- (MSExchangeSRS)
SRV - [2003/08/01 18:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2003/06/02 23:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Exchsrvr\bin\events.exe -- (MSExchangeES)
SRV - [2001/06/06 10:12:02 | 000,552,960 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\xitami\xiwinnt.exe -- (Xitami)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- a -- (vsdatant)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/03/09 15:11:22 | 000,035,144 | ---- | M] () [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2013/02/26 11:49:04 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/02/26 11:49:04 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130309.003\NAVENG.SYS -- (NAVENG)
DRV - [2013/02/19 10:41:12 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys -- (EraserUtilDrv11220)
DRV - [2013/01/29 13:06:07 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/11/06 10:55:23 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/09/04 20:34:32 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/08/26 19:51:30 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/26 19:29:38 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/08/26 19:29:34 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2011/08/26 19:29:32 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
DRV - [2011/08/26 19:29:28 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/08/26 19:29:28 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2011/08/26 19:29:26 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/08/26 19:27:34 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2011/08/24 07:42:50 | 000,124,536 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2011/03/14 06:53:42 | 000,229,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2010/09/07 17:34:00 | 000,028,848 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2010/01/27 11:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/01/27 11:22:02 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/08/23 22:00:00 | 000,020,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2007/02/16 22:29:40 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/16 22:06:42 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/16 22:02:56 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/16 21:56:08 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/16 21:51:18 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2005/09/26 13:37:02 | 000,071,168 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\3wareDrv.sys -- (3wareDrv)
DRV - [2005/06/22 11:23:18 | 000,009,984 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\smbus.sys -- (SMBus)
DRV - [2005/01/07 09:03:12 | 000,192,292 | ---- | M] (LSI Logic Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\MegaIDE.sys -- (MegaIDE)
DRV - [2004/06/24 16:38:28 | 000,010,752 | R--- | M] (Intel (R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\svgam.sys -- (svgam)
DRV - [2004/06/10 13:28:58 | 000,014,174 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\SUPERBMC.SYS -- (superbmc)
DRV - [2004/04/01 23:08:21 | 000,195,968 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)
DRV - [2001/06/20 04:05:54 | 000,003,853 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\IsaIoNt.sys -- (ISAIONT)
DRV - [2000/11/12 06:14:18 | 000,003,908 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\memmapnt.sys -- (MemMapNt)
 
And continued:


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes,DefaultScope = {9630FDCF-65AA-45F7-94F3-933E886905E1}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{84154F03-8976-40C7-912E-621E1193AD1D}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{9630FDCF-65AA-45F7-94F3-933E886905E1}: "URL" = http://www.google.com/search?q={sea...tartIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2013/02/20 15:00:36 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2005/05/11 20:45:23 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O3 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Display] C:\Program Files\APC\PowerChute Personal Edition\DataCollectionLauncher.exe (Schneider Electric)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe (Constantin Kaplinsky)
O4 - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159..\Run: [ROC_JAN2013_TB] "C:\Program Files\AVG Secure Search\ROC_JAN2013_TB.exe" /PROMPT /CMPID=JAN2013_TB File not found
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Z1] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)
O4 - Startup: C:\Documents and Settings\backup_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\randy.HEDRICK\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\symantec_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-1595\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab (DownloadManager Control)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146765840875 (MUWebControl Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Housecall ActiveX 6.5)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} http://hedcogaserver/tsweb/msrdp.cab (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://symantec.webex.com/client/T26L/support/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hedrick.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5DDD41BD-9193-4897-93B5-2A6887F38683}: NameServer = 192.168.1.5
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/25 16:23:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\Shell - "" = AutoRun
O33 - MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\Shell\AutoRun\command - "" = F:\Browser.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/03/09 15:09:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work
[2013/03/09 13:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\RK_Quarantine
[2013/03/09 11:42:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/03/09 11:42:16 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/03/09 11:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2013/02/24 14:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\MassSender
[2013/02/20 03:34:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2013/02/20 03:33:50 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/02/24 23:05:34 | 000,019,832 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\zh_res.dll
[2011/11/16 13:45:59 | 013,923,704 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\PCPE Setup.exe
[2011/11/16 13:45:59 | 001,079,808 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\mfc80u.dll
[2011/11/16 13:45:59 | 000,626,688 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\msvcr80.dll
[2011/11/16 13:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\grm_res.dll
[2011/11/16 13:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\fr_res.dll
[2011/11/16 13:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\pt_res.dll
[2011/11/16 13:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\it_res.dll
[2011/11/16 13:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\es_res.dll
[2011/11/16 13:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\en_res.dll
[2011/11/16 13:45:59 | 000,020,856 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\ru_res.dll
[2011/11/16 13:45:59 | 000,020,344 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\jp_res.dll

========== Files - Modified Within 30 Days ==========

[2013/03/09 19:52:59 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Collect Server Performance Data.job
[2013/03/09 19:42:43 | 000,002,586 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2013/03/09 15:11:22 | 000,035,144 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/03/09 11:42:29 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 11:13:20 | 000,001,515 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/03/09 11:08:38 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/03/09 11:04:31 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\ROC_JAN2013_TB_rmv.job
[2013/03/09 11:04:29 | 000,013,744 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/03/09 06:01:51 | 000,000,562 | ---- | M] () -- C:\WINDOWS\tasks\Small Business Server - Server Status Report - Server Performance Report.job
[2013/03/09 05:02:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2013/03/09 04:37:04 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Collect Usage Data.job
[2013/03/08 12:06:02 | 000,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a5a4616e-2ee7-11da-95a6-806e6f6e6963}.job
[2013/03/08 12:05:04 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{b59eb2dc-2dd0-11da-80e0-806e6f6e6963}.job
[2013/03/08 09:18:58 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2013/02/20 14:58:09 | 3211,243,520 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/19 19:54:21 | 000,001,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2013/02/14 04:24:47 | 000,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/14 03:33:04 | 000,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/13 03:25:24 | 001,107,520 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/13 03:25:24 | 000,316,212 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2013/03/09 15:11:22 | 000,035,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/03/09 11:42:29 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 11:13:17 | 000,001,515 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/02/22 03:49:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/09 04:15:02 | 000,132,832 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/08/17 08:11:07 | 000,060,304 | ---- | C] () -- C:\Documents and Settings\Administrator\g2mdlhlpx.exe
[2012/08/17 08:05:09 | 000,002,871 | ---- | C] () -- C:\Documents and Settings\Administrator\.plugin141_05.trace
[2011/11/16 13:46:05 | 013,338,112 | ---- | C] () -- C:\Documents and Settings\Administrator\PCPE_3.0.1.msi
[2011/11/16 13:45:59 | 000,018,808 | ---- | C] () -- C:\Documents and Settings\Administrator\ResourceReader.dll
[2011/07/06 13:38:29 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/06/20 13:28:14 | 000,036,060 | ---- | C] () -- C:\WINDOWS\System32\BEPerfDll.ini
[2008/02/22 14:58:52 | 000,017,090 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2005/10/31 11:35:21 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/10/31 10:57:05 | 000,004,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2005/09/25 16:19:11 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2007/12/21 14:28:05 | 001,508,352 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 03:02:57 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2007/02/17 06:03:19 | 000,278,016 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2005/10/25 17:54:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\APC
[2009/05/15 15:44:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2013/01/16 11:11:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2013/03/09 16:10:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/08/26 13:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11

========== Purity Check ==========

< End of report >

With my bad memory, I did a scan for Boroni, nothing, but the urbandictionary.com had a whole conjugation, remember getting old is pigeon poop.
 
redtarget.gif
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- a -- (vsdatant)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
O3 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O3 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159..\Run: [ROC_JAN2013_TB] "C:\Program Files\AVG Secure Search\ROC_JAN2013_TB.exe" /PROMPT /CMPID=JAN2013_TB File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
O33 - MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\Shell - "" = AutoRun
O33 - MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\Shell\AutoRun\command - "" = F:\Browser.exe

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

redtarget.gif
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
OK, here are the logs we have. I was just in the server room (sounds very posh, doesn't it. We made a server room out of a corner of a store room in the basement, hooked up strong bathroom fans to run all the time and vent into the garage, made a couple of open spots on two walls for air to enter, and covered them with some furnace filters), noisy but seeing we are in the Northwest, the room never gets above 72, it works.

I was looking at the Symantec End Point Protections settings, and saw that there were a number of "protected files", couldn't find them, but did find an exception for the CraigsListmailer item. once I eliminated that protections, it popped up in EPP, and was deleted, but I fear that we may not be done.

I finished all of the scans except for the Eset. I tried to start it, but at the spot where you accept their terms, soon after, in the right hand corner a button should become visible to start, but I left is all night with nothing happening. Here are the logs, but I also started OTL once more to see if the symantec protection change will help.

All processes killed
========== OTL ==========
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service vsdatant stopped successfully!
Service vsdatant deleted successfully!
File a not found.
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Error: No service named LicenseInfo was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseInfo deleted successfully.
Service IpInIp stopped successfully!
Service IpInIp deleted successfully!
File system32\DRIVERS\ipinip.sys not found.
Service i2omgmt stopped successfully!
Service i2omgmt deleted successfully!
Service eeCtrl stopped successfully!
Service eeCtrl deleted successfully!
File C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys not found.
Service Changer stopped successfully!
Service Changer deleted successfully!
Registry value HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2052151345-2250342621-3819923535-1159\Software\Microsoft\Windows\CurrentVersion\Run\\ROC_JAN2013_TB deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a5fb078b-a8bc-11e0-bc56-e8b5a62ebd72}\ not found.
File F:\Browser.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1536352 bytes
->Temporary Internet Files folder emptied: 2628152 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: backup_service
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: bettyh
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 2203 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: randy.HEDRICK
->Temp folder emptied: 428604 bytes
->Temporary Internet Files folder emptied: 186209 bytes
->FireFox cache emptied: 86741056 bytes

User: Relationship_Manager
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: symantec_service
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 991232 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 11729 bytes

Total Files Cleaned = 88.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: backup_service

User: bettyh

User: Default User

User: LocalService

User: NetworkService

User: randy.HEDRICK

User: Relationship_Manager

User: symantec_service

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: backup_service

User: bettyh

User: Default User

User: LocalService

User: NetworkService

User: randy.HEDRICK

User: Relationship_Manager

User: symantec_service

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 03092013_214946

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\hsperfdata_SYSTEM\8412 not found!
File move failed. C:\WINDOWS\temp\sqla0000.tmp scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
Checkup:
Results of screen317's Security Check version 0.99.60
Service Pack 2 x86
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Please wait while WMIC is being installed.
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Java Web Start
Java 2 Runtime Environment, SE v1.4.1_05
Java version out of Date!
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Microsoft Windows Small Business Server monitoring mssbsssr.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 19% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

(I tried to defrag a few weeks ago, but there was not enough room, after this cleaning, there should be more room.)

Farbar Service Scanner Version: 03-03-2013
Ran by Administrator (administrator) on 09-03-2013 at 23:34:10
Running from "H:\GAServer"
Microsoft Windows Server 2003 Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.

tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========

ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\afd.sys
[2005-05-11 20:45] - [2011-12-27 06:13] - 0150528 ____N (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B


ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\tcpip.sys
[2005-05-11 20:45] - [2009-08-15 01:57] - 0393216 ____N (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3

C:\WINDOWS\system32\dnsrslvr.dll
[2009-04-20 10:38] - [2009-04-20 10:38] - 0045568 ____N (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B


ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\vssvc.exe
[2005-05-11 20:45] - [2007-02-16 22:09] - 0836096 ____N (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916


ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2007-02-17 06:03] - [2007-02-17 06:03] - 0143360 ____N (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5

C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2007-02-17 06:03] - [2007-02-17 06:03] - 0380928 ____N (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C

C:\WINDOWS\system32\es.dll
[2008-04-29 13:33] - [2008-04-29 13:33] - 0247296 ____N (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C

C:\WINDOWS\system32\cryptsvc.dll
[2007-02-17 06:02] - [2007-02-17 06:02] - 0056320 ____N (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4


ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\svchost.exe
[2007-02-17 06:04] - [2007-02-17 06:04] - 0014848 ____N (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

C:\WINDOWS\system32\rpcss.dll
[2009-04-16 10:25] - [2009-02-09 03:02] - 0486912 ____N (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE



**** End of log ****

I'm not sure there was a Windows Defender for this old server.
 
I think the firewall is supposed to be done by Symantec, but seeing the rogue was able to change settings in that, worked need to be done.
'
After the next log, I want to try to hunt down a couple of ip addresses in the system. 192.168.1.201 and 202, are running. with http 80 and sip 5060. I spent a lot of time today re-configuring the wireless access-point changing the name and the permissions, and the passwords, and the visibility. but these two show up on the Fing Android list as wired and active all the time.
 
We really have not used the browsers over the years to protect it, that is why it is still windows 8.
 
I did get chrome to work, but could not download the eset file ("blocked by computer").

I'll try firefox this evening, but am a bit iffy , the program that installed the Rogue on the computer used firefox.

but if we are clean, I'll delete the chrome and install the firefox.

I did run another OTL (after finding the file exception for the rogue deep in Symantec EPP)

OTL logfile created on: 3/10/2013 7:25:08 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 26.82% Memory free
4.84 Gb Paging File | 1.72 Gb Available in Paging File | 35.47% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.86 Gb Total Space | 7.22 Gb Free Space | 25.92% Space Free | Partition Type: NTFS
Drive E: | 465.64 Gb Total Space | 109.55 Gb Free Space | 23.53% Space Free | Partition Type: NTFS
Drive H: | 14.95 Gb Total Space | 14.76 Gb Free Space | 98.73% Space Free | Partition Type: FAT32

Computer Name: HEDCOGASERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/03/09 17:28:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work\OTL.exe
PRC - [2012/11/06 11:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/11/06 11:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2012/01/24 17:21:22 | 000,021,880 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
PRC - [2012/01/24 17:11:56 | 000,705,912 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
PRC - [2012/01/24 17:06:48 | 000,673,144 | ---- | M] (Schneider Electric) -- C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
PRC - [2011/11/28 15:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2011/11/28 15:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2011/11/21 11:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2011/09/09 13:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2011/08/26 20:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/08/26 20:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2011/08/10 06:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2011/07/09 16:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2011/06/17 15:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe
PRC - [2011/04/08 14:50:00 | 000,051,104 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\rotatelogs.exe
PRC - [2011/04/08 14:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe
PRC - [2011/03/28 17:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\bedbg.exe
PRC - [2011/02/22 18:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
PRC - [2011/02/22 18:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
PRC - [2011/02/16 05:23:48 | 000,145,152 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\jre\bin\java.exe
PRC - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/07/26 22:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe
PRC - [2010/01/27 12:22:02 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/09 12:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\store.exe
PRC - [2007/02/17 07:04:04 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe
PRC - [2007/02/17 07:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 07:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe
PRC - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/17 07:03:39 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/17 07:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2005/09/20 18:53:14 | 000,154,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
PRC - [2005/05/11 21:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
PRC - [2005/03/02 18:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe
PRC - [2004/10/18 10:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
PRC - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
PRC - [2004/10/18 10:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
PRC - [2004/10/18 10:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
PRC - [2004/10/18 10:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
PRC - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
PRC - [2004/04/02 01:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\mad.exe
PRC - [2004/04/02 01:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe
PRC - [2004/04/02 00:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\emsmta.exe
PRC - [2004/04/02 00:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\srsmain.exe
PRC - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\WinVNC.exe


========== Modules (No Company Name) ==========

MOD - [2013/02/13 04:55:01 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll
MOD - [2013/02/13 04:19:06 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2013/02/13 04:16:55 | 000,113,664 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2013/02/13 04:16:39 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2013/01/09 05:12:34 | 000,627,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad737988d5bde126a3b7770eacc51e5b\System.Transactions.ni.dll
MOD - [2013/01/09 05:11:53 | 000,627,712 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.ni.dll
MOD - [2013/01/09 05:11:53 | 000,280,064 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\04eea38364e5ced71d02bf104cb5892c\System.EnterpriseServices.Wrapper.dll
MOD - [2013/01/09 05:08:51 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll
MOD - [2013/01/09 05:05:00 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/09 05:02:59 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\8462c03b4f10c4624feb95790d6d1e30\System.Data.ni.dll
MOD - [2013/01/09 04:58:34 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/09 04:57:54 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2013/01/09 04:11:10 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2013/01/09 04:11:08 | 000,471,040 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2013/01/09 04:11:05 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2012/01/12 07:00:20 | 000,131,072 | ---- | M] () -- c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\monitoring\b414b2d0\3ba7056a\xp74unmc.dll
MOD - [2012/01/12 04:03:29 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2011/12/26 06:02:43 | 000,258,048 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
MOD - [2007/06/29 09:35:32 | 000,819,200 | ---- | M] () -- c:\windows\assembly\gac\system.web.mobile\1.0.5000.0__b03f5f7f11d50a3a\system.web.mobile.dll
MOD - [2007/06/29 09:35:20 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2007/06/29 09:35:20 | 000,135,168 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
MOD - [2007/06/29 09:35:17 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
MOD - [2007/06/29 09:35:13 | 001,703,936 | ---- | M] () -- c:\windows\assembly\gac\system.design\1.0.5000.0__b03f5f7f11d50a3a\system.design.dll
MOD - [2007/06/29 09:35:12 | 001,298,432 | ---- | M] () -- c:\windows\assembly\gac\system.data\1.0.5000.0__b77a5c561934e089\system.data.dll
MOD - [2007/06/29 09:35:10 | 001,359,872 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2007/06/29 09:35:08 | 000,057,344 | ---- | M] () -- c:\windows\assembly\gac\system.web.regularexpressions\1.0.5000.0__b03f5f7f11d50a3a\system.web.regularexpressions.dll
MOD - [2007/06/29 09:35:07 | 000,241,664 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.dll
MOD - [2007/06/29 09:35:07 | 000,090,112 | ---- | M] () -- c:\windows\assembly\gac\system.directoryservices\1.0.5000.0__b03f5f7f11d50a3a\system.directoryservices.dll
MOD - [2007/06/29 09:35:07 | 000,066,560 | ---- | M] () -- c:\windows\assembly\gac\system.enterpriseservices\1.0.5000.0__b03f5f7f11d50a3a\system.enterpriseservices.thunk.dll
MOD - [2007/06/29 09:35:06 | 000,720,896 | ---- | M] () -- c:\windows\assembly\gac\microsoft.jscript\7.0.5000.0__b03f5f7f11d50a3a\microsoft.jscript.dll
MOD - [2007/04/09 12:29:17 | 000,201,728 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\EXMIME.dll
MOD - [2007/01/31 20:51:29 | 001,088,000 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\davex.dll
MOD - [2005/10/31 13:21:37 | 000,105,080 | ---- | M] () -- c:\windows\assembly\gac\system.web.ui.mobilecontrols.adapters\1.1.0.0__b03f5f7f11d50a3a\system.web.ui.mobilecontrols.adapters.dll
MOD - [2005/09/25 17:19:16 | 000,077,824 | ---- | M] () -- c:\windows\assembly\gac\system.configuration.install\1.0.5000.0__b03f5f7f11d50a3a\system.configuration.install.dll
MOD - [2005/09/25 17:19:16 | 000,032,768 | ---- | M] () -- c:\windows\assembly\gac\microsoft.vsa\7.0.5000.0__b03f5f7f11d50a3a\microsoft.vsa.dll
MOD - [2005/09/25 17:19:16 | 000,012,288 | ---- | M] () -- c:\windows\assembly\gac\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll
MOD - [2005/09/25 17:19:16 | 000,007,680 | ---- | M] () -- c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll
MOD - [2005/09/25 17:19:16 | 000,006,144 | ---- | M] () -- c:\windows\assembly\gac\microsoft.visualc\7.0.5000.0__b03f5f7f11d50a3a\microsoft.visualc.dll
MOD - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () -- C:\Program Files\3ware\3DM2\3dm2.exe
MOD - [2005/03/24 19:49:08 | 000,348,160 | ---- | M] () -- \\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll
MOD - [2004/10/18 10:36:46 | 001,151,025 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamdrv.exe
MOD - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe
MOD - [2004/10/18 10:35:48 | 000,262,196 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevlog.exe
MOD - [2004/10/18 10:35:44 | 000,180,276 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamevent.exe
MOD - [2004/10/18 10:35:42 | 000,208,947 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\Gamserv.exe
MOD - [2004/10/11 23:52:53 | 000,619,520 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\dsaccess.DLL
MOD - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\GAMSERV\SpySer.exe
MOD - [2004/04/01 18:15:00 | 000,063,248 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LSATQ.DLL
MOD - [2003/08/01 19:28:22 | 000,060,928 | ---- | M] () -- C:\Program Files\TightVNC\VNCHooks.dll
MOD - [2003/06/20 15:24:13 | 000,070,144 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Exosal.dll
MOD - [2003/06/03 00:20:24 | 000,084,480 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\Epoxy.dll
MOD - [2003/06/03 00:20:24 | 000,028,672 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\tokenm.dll
MOD - [2003/06/02 23:12:51 | 000,192,512 | ---- | M] () -- \\?\C:\Program Files\Exchsrvr\bin\LisRTL.DLL


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe -- (Smcinst)
SRV - [2012/11/06 11:56:04 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/11/06 11:55:23 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2012/01/24 17:21:22 | 000,021,880 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe -- (APC Data Service)
SRV - [2012/01/24 17:11:56 | 000,705,912 | ---- | M] (Schneider Electric) [Auto | Running] -- C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2011/11/28 15:39:30 | 006,713,712 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2011/11/28 15:35:18 | 001,847,664 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2011/11/21 11:00:00 | 008,008,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2011/10/11 12:49:00 | 000,124,272 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- E:\Program Files\Symantec\Backup Exec\BackupExecManagementService.exe -- (BackupExecManagementService)
SRV - [2011/09/09 13:44:46 | 001,270,128 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2011/08/26 20:26:54 | 000,280,496 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/08/26 20:26:50 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/08/26 20:23:32 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011/08/10 06:09:07 | 000,158,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS)
SRV - [2011/07/09 16:47:16 | 000,380,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2011/06/17 15:54:16 | 000,209,840 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2011/05/03 18:27:16 | 003,114,424 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2011/04/08 14:49:56 | 000,023,968 | ---- | M] (Apache Software Foundation) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\apache\bin\httpd.exe -- (semwebsrv)
SRV - [2011/03/28 17:50:24 | 000,223,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\bedbg.exe -- (bedbg)
SRV - [2011/02/22 18:55:08 | 001,459,608 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe -- (DLOMaintenanceSvc)
SRV - [2011/02/22 18:54:58 | 001,447,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- E:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe -- (DLOAdminSvcu)
SRV - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/07/26 22:52:24 | 000,141,176 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- E:\Program Files\Symantec\Symantec Protection Center\ASA\win32\dbsrv11.exe -- (SQLANYs_sem5)
SRV - [2007/04/09 12:27:42 | 005,201,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\store.exe -- (MSExchangeIS)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:58 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 07:03:58 | 000,037,888 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)
SRV - [2007/02/17 07:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 07:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 07:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)
SRV - [2007/02/17 07:03:42 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/17 07:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/17 07:02:54 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2005/07/22 10:08:50 | 000,040,960 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\SD3Service.exe -- (Supero SD3Service Daemon)
SRV - [2005/07/22 10:02:34 | 000,131,072 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\NTService.exe -- (SuperMicro Health Assistant)
SRV - [2005/05/11 21:45:23 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)
SRV - [2005/05/11 21:45:23 | 000,050,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2005/05/11 21:45:23 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2005/04/29 17:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)
SRV - [2005/04/05 13:40:30 | 001,228,800 | ---- | M] () [Auto | Running] -- C:\Program Files\3ware\3DM2\3dm2.exe -- (3DM2)
SRV - [2005/03/02 18:27:32 | 000,438,272 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\SBAS\SpamFolderAgent\Bin\era.exe -- (BMISFA)
SRV - [2005/01/25 19:25:38 | 000,042,776 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\XFR.EXE -- (Intel File Transfer)
SRV - [2005/01/25 19:24:30 | 000,059,168 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\IAO.EXE -- (Intel Alert Originator)
SRV - [2005/01/25 19:24:10 | 000,038,696 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler)
SRV - [2004/10/18 10:35:50 | 000,073,266 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\Gamscm.exe -- (gamscm)
SRV - [2004/10/11 12:19:22 | 000,266,240 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\GAMSERV\SpySer.exe -- (SpySer)
SRV - [2004/04/02 01:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\mad.exe -- (MSExchangeSA)
SRV - [2004/04/02 01:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2004/04/02 00:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\emsmta.exe -- (MSExchangeMTA)
SRV - [2004/04/02 00:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\srsmain.exe -- (MSExchangeSRS)
SRV - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2003/06/03 00:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Exchsrvr\bin\events.exe -- (MSExchangeES)
SRV - [2001/06/06 11:12:02 | 000,552,960 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SUPERMICRO\SDIII\xitami\xiwinnt.exe -- (Xitami)


========== Driver Services (SafeList) ==========

DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - [2013/02/26 12:49:04 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130310.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/02/26 12:49:04 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130310.007\NAVENG.SYS -- (NAVENG)
DRV - [2013/02/26 12:49:03 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013/02/26 12:49:03 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013/01/29 14:06:07 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/11/06 11:55:23 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/09/04 21:34:32 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130308.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/08/26 20:51:30 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/26 20:29:38 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/08/26 20:29:34 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2011/08/26 20:29:32 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
DRV - [2011/08/26 20:29:28 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/08/26 20:29:28 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2011/08/26 20:29:26 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/08/26 20:27:34 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2011/08/24 08:42:50 | 000,124,536 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2011/03/14 07:53:42 | 000,229,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2010/09/07 18:34:00 | 000,028,848 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2010/01/27 12:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/01/27 12:22:02 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/08/23 23:00:00 | 000,020,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2007/02/16 23:29:40 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/16 23:06:42 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/16 23:02:56 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/16 22:56:08 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/16 22:51:18 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2005/09/26 14:37:02 | 000,071,168 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\3wareDrv.sys -- (3wareDrv)
DRV - [2005/06/22 12:23:18 | 000,009,984 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\smbus.sys -- (SMBus)
DRV - [2005/01/07 10:03:12 | 000,192,292 | ---- | M] (LSI Logic Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\MegaIDE.sys -- (MegaIDE)
DRV - [2004/06/24 17:38:28 | 000,010,752 | R--- | M] (Intel (R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\svgam.sys -- (svgam)
DRV - [2004/06/10 14:28:58 | 000,014,174 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\SUPERBMC.SYS -- (superbmc)
DRV - [2004/04/02 00:08:21 | 000,195,968 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)
DRV - [2001/06/20 05:05:54 | 000,003,853 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\IsaIoNt.sys -- (ISAIONT)
DRV - [2000/11/12 07:14:18 | 000,003,908 | ---- | M] (SuperMicro Computer, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\memmapnt.sys -- (MemMapNt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes,DefaultScope = {9630FDCF-65AA-45F7-94F3-933E886905E1}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{84154F03-8976-40C7-912E-621E1193AD1D}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\..\SearchScopes\{9630FDCF-65AA-45F7-94F3-933E886905E1}: "URL" = http://www.google.com/search?q={sea...tartIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2013/03/10 00:43:08 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2005/05/11 21:45:23 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O4 - HKLM..\Run: [Display] C:\Program Files\APC\PowerChute Personal Edition\DataCollectionLauncher.exe (Schneider Electric)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe (Constantin Kaplinsky)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)
O4 - Startup: C:\Documents and Settings\backup_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\symantec_service\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-1159\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052151345-2250342621-3819923535-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab (DownloadManager Control)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146765840875 (MUWebControl Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Housecall ActiveX 6.5)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} http://hedcogaserver/tsweb/msrdp.cab (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab (Java Plug-in 1.4.1_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://symantec.webex.com/client/T26L/support/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hedrick.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5DDD41BD-9193-4897-93B5-2A6887F38683}: NameServer = 192.168.1.5
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/25 17:23:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/03/09 16:09:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\3-9-2013 Virus Work
[2013/03/09 14:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\RK_Quarantine
[2013/03/09 12:42:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/03/09 12:42:16 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/03/09 12:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2013/02/24 15:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\MassSender
[2013/02/20 04:34:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2013/02/20 04:33:50 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/02/12 20:54:31 | 000,630,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2013/02/12 20:54:30 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2013/02/12 20:54:29 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2013/02/12 20:54:29 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2013/02/12 20:54:26 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2013/02/12 20:54:21 | 001,212,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2013/02/12 20:54:01 | 006,010,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2012/02/25 00:05:34 | 000,019,832 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\zh_res.dll
[2011/11/16 14:45:59 | 013,923,704 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\PCPE Setup.exe
[2011/11/16 14:45:59 | 001,079,808 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\mfc80u.dll
[2011/11/16 14:45:59 | 000,626,688 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\msvcr80.dll
[2011/11/16 14:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\grm_res.dll
[2011/11/16 14:45:59 | 000,021,880 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\fr_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\pt_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\it_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\es_res.dll
[2011/11/16 14:45:59 | 000,021,368 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\en_res.dll
[2011/11/16 14:45:59 | 000,020,856 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\ru_res.dll
[2011/11/16 14:45:59 | 000,020,344 | ---- | C] (Schneider Electric) -- C:\Documents and Settings\Administrator\jp_res.dll

========== Files - Modified Within 30 Days ==========

[2013/03/10 19:25:11 | 000,002,584 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2013/03/10 18:54:13 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Collect Server Performance Data.job
[2013/03/10 06:08:31 | 000,004,768 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2013/03/10 06:01:11 | 000,000,562 | ---- | M] () -- C:\WINDOWS\tasks\Small Business Server - Server Status Report - Server Performance Report.job
[2013/03/10 04:31:53 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Collect Usage Data.job
[2013/03/10 01:09:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/03/10 00:59:49 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\ROC_JAN2013_TB_rmv.job
[2013/03/10 00:59:19 | 000,013,744 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/03/10 00:56:04 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2013/03/10 00:41:16 | 3211,243,520 | -HS- | M] () -- C:\hiberfil.sys
[2013/03/09 12:42:29 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 12:13:20 | 000,001,515 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/03/08 13:06:02 | 000,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{a5a4616e-2ee7-11da-95a6-806e6f6e6963}.job
[2013/03/08 13:05:04 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{b59eb2dc-2dd0-11da-80e0-806e6f6e6963}.job
[2013/02/19 20:54:21 | 000,001,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2013/02/14 05:24:47 | 000,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/14 04:33:04 | 000,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/13 04:25:24 | 001,107,520 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/13 04:25:24 | 000,316,212 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2013/03/09 12:42:29 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/09 12:13:17 | 000,001,515 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Notepad.lnk
[2013/02/22 04:49:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/09 05:15:02 | 000,132,832 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/08/17 09:11:07 | 000,060,304 | ---- | C] () -- C:\Documents and Settings\Administrator\g2mdlhlpx.exe
[2012/08/17 09:05:09 | 000,002,871 | ---- | C] () -- C:\Documents and Settings\Administrator\.plugin141_05.trace
[2011/11/16 14:46:05 | 013,338,112 | ---- | C] () -- C:\Documents and Settings\Administrator\PCPE_3.0.1.msi
[2011/11/16 14:45:59 | 000,018,808 | ---- | C] () -- C:\Documents and Settings\Administrator\ResourceReader.dll
[2011/07/06 14:38:29 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/06/20 14:28:14 | 000,036,060 | ---- | C] () -- C:\WINDOWS\System32\BEPerfDll.ini
[2008/02/22 15:58:52 | 000,017,090 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2005/10/31 12:35:21 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/10/31 11:57:05 | 000,004,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2005/09/25 17:19:11 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2007/12/21 15:28:05 | 001,508,352 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 04:02:57 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2007/02/17 07:03:19 | 000,278,016 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

I have accounted for all of the IP addresses from this, the two I was worried about are her voip phones. 192.168.1.201 & 202.
 
I don't see anything malicious there.

but could not download the eset file ("blocked by computer").
Click to expand...
I'm not sure what you mean by "blocked by computer"
 
You must log in or register to reply here.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back