Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows 2003 server


  • This topic is locked This topic is locked
45 replies to this topic

#1 madsam64

madsam64

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 11 July 2009 - 12:33 PM

I tried following the directions for dds but it wouldnt work, i followed more instructions and was told to post this runscanner log here. Basically the computer has been 'jacked. Google and yahoo both show signs of it, when clicking search results.

Thanks

God bless

W

Runscanner logfile

* = signed file
- = file not found

General info
------------
Computer name : PUREWATER
Creation time : 7/11/2009 1:22:59 PM
Hosts <> 127.0.0.1 : 256
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.13
OS : Microsoft Windows Server 2003
OS Build : 3790
OS SP : Service Pack 2
RunScanner Version : 1.8.1.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe (Hewlett-Packard Co.)
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
* C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)
* C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe (CA, Inc.)
* C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
* C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe (Computer Associates International, Inc.)
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
* C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
* C:\WINDOWS\System32\dns.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ntfrs.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
* C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
* C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
* C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
* C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe (Microsoft Corporation)
* C:\WINDOWS\System32\llssrv.exe (Microsoft Corporation)
* C:\WINDOWS\system32\msdtc.exe (Microsoft Corporation)
C:\WINDOWS\system32\HPZipm12.exe (HP)
* C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
* C:\Documents and Settings\Administrator\Desktop\runscanner.exe (Runscanner.net)
* C:\WINDOWS\System32\sbscrexe.exe (Microsoft Corporation)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe (Microsoft Corporation)
c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe (Microsoft Corporation)
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
* C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\WINDOWS\system32\Dfssvc.exe (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)
* C:\WINDOWS\System32\wins.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)

Unrated items
-------------
002 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)
002 * C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
002 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
003 * C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
003 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
004 C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
005 C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
005 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
005 C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
005 * C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
005 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
010 * C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CaCCProvSP)
010 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe (CAISafe)
010 C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit QuickBooks FCS)
010 C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe (Microsoft Search)
010 C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe (MSSQL$ACT7)
010 c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe (MSSQL$SHAREPOINT)
010 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (MSSQLServerADHelper)
010 C:\WINDOWS\system32\HPZipm12.exe (Pml Driver HPZ12)
010 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (QBCFMonitorService)
010 C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE (SQLAgent$ACT7)
010 c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE (SQLAgent$SHAREPOINT)
010 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe (VET Message Service)
011 * C:\WINDOWS\system32\drivers\VETEBOOT.sys (VET Boot Scan Engine)
011 * C:\WINDOWS\system32\drivers\VETMONNT.sys (VET File Monitor)
011 * C:\WINDOWS\system32\drivers\VETEFILE.sys (VET File Scan Engine)
011 * C:\WINDOWS\system32\drivers\VET-FILT.sys (VET File System Filter)
011 * C:\WINDOWS\system32\drivers\VET-REC.sys (VET File System Recognizer)
011 * C:\WINDOWS\system32\drivers\VETFDDNT.sys (VET Floppy Boot Sector Monitor)
031 * C:\Program Files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll (TODO: <Company name>) {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3}
041 C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll {47833539-D0C5-4125-9FA8-0819E2EAAC93}
045 C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll {47833539-D0C5-4125-9FA8-0819E2EAAC93}
048 Zone: //system : hcp //system
048 Zone: //system : hcp //system
048 Zone: companyweb : https://companyweb
048 Zone: companyweb : http://companyweb
048 Zone: h20180.www2.hp.com : http://h20180.www2.hp.com
048 Zone: hp.com : http://hp.com
048 Zone: hp.com : ftp hp.com
048 Zone: ie.search.msn.com : http://ie.search.msn.com
048 Zone: localhost : https://localhost
048 Zone: localhost : http://localhost
048 Zone: localhost : https://localhost
048 Zone: localhost : http://localhost
048 Zone: msn.com : http://msn.com
048 Zone: office.microsoft.com : http://office.microsoft.com
048 Zone: purewater : https://purewater
048 Zone: purewater : http://purewater
048 Zone: purologix.com : http://purologix.com
048 Zone: Purologix.local : http://Purologix.local
048 Zone: Purologix.local : https://Purologix.local
048 Zone: welcome.hp.com : http://welcome.hp.com
048 Zone: windowsupdate.com : http://windowsupdate.com
048 Zone: windowsupdate.com : http://windowsupdate.com
048 Zone: windowsupdate.microsoft.com : http://windowsupdate.microsoft.com
048 Zone: windowsupdate.microsoft.com : http://windowsupdate.microsoft.com
048 Zone: www.google.com : http://www.google.com
048 Zone: www.hollyspringschamber.org : http://www.hollyspringschamber.org
048 Zone: www.hp.com : http://www.hp.com
048 Zone: www.purlogix.com : http://www.purlogix.com
048 Zone: www.purologix.com : http://www.purologix.com
052 C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll {AE7CD045-E861-484f-8273-0445EE161910}
052 C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) {DBC80044-A445-435b-BC74-9C25C1C588A9}
052 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
061 C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
061 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll (CA, Inc.) {1CE2AA40-1317-11D3-9922-00104B0AD431}
061 * C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll (Intuit Inc.) {7D5C4BDD-B015-4401-8731-1507B87DE297}
068 * C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
068 * C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
068 * C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
068 * C:\WINDOWS\system32\VetRedir.dll (Computer Associates International, Inc.)
069 C:\WINDOWS\system32\AdobePDF.dll (Adobe Systems Incorporated.)
069 C:\WINDOWS\system32\hptcpmon.dll (Hewlett Packard)
069 C:\WINDOWS\system32\pdf995mon.dll
073 Back Up Small Business Server.job : C:\Program Files\Microsoft Windows Small Business Server\Backup\bkprunner.exe (Microsoft Corporation)
100 Default_Page_URL HKCU : res://shdoclc.dll/hardAdmin.htm
102 GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
102 C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll {182EC0BE-5110-49C8-A062-BEB1D02A220B}
104 C:\WINDOWS\opuc.dll (Microsoft Corporation) {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
104 GUID / CLSID not found WebSignature Control
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
120 NameServer {4B6EDFB8-EF70-4C3B-ABA2-C8779A64A80B} : 192.168.0.2
120 TcpIp Domain : Purologix.local
120 Telephony domainname : Purologix.local
170 {d4c7dbc8-fc38-11dd-872a-00132047b84d} : G:\LaunchU3.exe -a
173 C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
173 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll (CA, Inc.) {1CE2AA40-1317-11D3-9922-00104B0AD431}
173 C:\Program Files\MagicISO\misosh.dll (MagicISO, Inc.) {DB85C504-C730-49DD-BEC1-7B39C6103B7A}
221 C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
221 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll (CA, Inc.) {1CE2AA40-1317-11D3-9922-00104B0AD431}
221 C:\Program Files\MagicISO\misosh.dll (MagicISO, Inc.) {DB85C504-C730-49DD-BEC1-7B39C6103B7A}
225 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll (CA, Inc.) {1CE2AA40-1317-11D3-9922-00104B0AD431}
225 * C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll (CA, Inc.) {1CE2AA40-1317-11D3-9922-00104B0AD431}
225 C:\Program Files\MagicISO\misosh.dll (MagicISO, Inc.) {DB85C504-C730-49DD-BEC1-7B39C6103B7A}
225 C:\Program Files\MagicISO\misosh.dll (MagicISO, Inc.) {DB85C504-C730-49DD-BEC1-7B39C6103B7A}
227 C:\Program Files\MagicISO\misosh.dll (MagicISO, Inc.) {DB85C504-C730-49DD-BEC1-7B39C6103B7A}

Missing files
-------------
002 DSA
002 C:\WINDOWS\..\dell\openmanage\remind.exe
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\adpu320.sys
011 C:\WINDOWS\system32\drivers\afcnt.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\cpqarry2.sys
011 C:\WINDOWS\system32\drivers\cpqcissm.sys
011 C:\WINDOWS\system32\drivers\cpqfcalm.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dellcerc.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\hpt3xx.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\iirsp.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 c:\windows\system32\DRIVERS\ipinip.sys
011 C:\WINDOWS\system32\drivers\ipsraidn.sys
011 C:\WINDOWS\system32\drivers\lp6nds35.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\nfrd960.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\ql2100.sys
011 C:\WINDOWS\system32\drivers\ql2200.sys
011 C:\WINDOWS\system32\drivers\ql2300.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\symmpi.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 hticons.dll
064 C:\WINDOWS\system32\wow64.dll
064 C:\WINDOWS\system32\wow64cpu.dll
064 C:\WINDOWS\system32\wow64win.dll

BC AdBot (Login to Remove)

 


m

#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 19 July 2009 - 03:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 20 July 2009 - 07:17 AM

hi there... well basically what is happening is the google and yahoo are not responding on the top choice. when i click on the top choice, the page is redirected. usually it is sent to an unsuitable site. Virus Scan found nothing. Currently I'm running CA Virus scan but I plan on changing that over to avast as i have had good luck with that and was impressed when I tested its capabilities... is that a good choice?

That being said, I can not run the dds file. I then was advised to try rsit as a scan and that failed as well. dds scan says my system is not supported, even with a/v disabled and net down. I tried running rsit file and posted pics in a previous post. I can re-upload the pics if you like. the program i ran where the log is posted above is runscanner. I hope this information helps.
God bless
Will

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 20 July 2009 - 11:58 AM

Alright. I see your dilemma.

Try this please...........

Create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Please be patient. The forum is very busy. Someone should be by to help with your problems forthcoming.
Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 20 July 2009 - 12:26 PM

olt text

OTL logfile created on: 7/20/2009 1:14:50 PM - Run 1
OTL by OldTimer - Version 3.0.9.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 48.60% Memory free
3.84 Gb Paging File | 2.98 Gb Available in Paging File | 77.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 136.71 Gb Total Space | 102.68 Gb Free Space | 75.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111.76 Gb Total Space | 81.89 Gb Free Space | 73.28% Space Free | Partition Type: FAT32
Drive F: | 12.13 Gb Total Space | 12.00 Gb Free Space | 98.92% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PUREWATER
Current User Name: administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/08/20 13:27:26 | 00,144,960 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
PRC - [2007/02/17 10:03:35 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Dfssvc.exe
PRC - [2009/02/16 07:37:19 | 00,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dns.exe
PRC - [2007/02/17 10:03:42 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe
PRC - [2009/03/31 12:26:01 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/02/17 10:03:43 | 00,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\llssrv.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
PRC - [2008/12/16 21:39:30 | 09,158,656 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
PRC - [2007/02/17 10:03:53 | 00,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntfrs.exe
PRC - [2004/09/29 13:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe
PRC - [2009/04/23 18:49:56 | 00,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2007/02/17 10:03:58 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\sbscrexe.exe
PRC - [2007/04/19 14:08:48 | 00,031,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE
PRC - [2007/08/20 13:36:42 | 00,242,952 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
PRC - [2009/01/15 06:36:51 | 00,154,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wins.exe
PRC - [2003/09/10 15:26:10 | 00,021,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe
PRC - [2003/09/10 15:26:10 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2009/02/03 06:05:41 | 00,217,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/02/03 06:05:41 | 00,217,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2007/02/17 10:03:39 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/09/13 15:49:00 | 00,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
PRC - [2009/03/31 12:26:01 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/26 10:41:46 | 00,177,392 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
PRC - [2007/08/20 13:36:38 | 00,230,664 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
PRC - [2008/04/06 05:34:23 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/12/19 12:29:16 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2003/05/15 02:19:50 | 00,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2004/11/04 19:28:24 | 00,258,048 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2009/04/24 15:05:42 | 00,972,064 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2005/05/04 05:07:30 | 00,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PRC - [2004/11/04 20:36:46 | 00,425,984 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
PRC - [2009/05/28 15:05:08 | 15,953,032 | ---- | M] (DefNiC Software) -- C:\Program Files\Dispatched\Disp.exe
PRC - [2006/03/28 22:47:20 | 04,455,112 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft MapPoint\MapPoint.exe
PRC - [2009/04/24 15:03:24 | 01,135,904 | ---- | M] (Intuit Inc.) -- C:\Program Files\Intuit\QuickBooks 2005\qbw32.exe
PRC - [2006/09/13 10:32:04 | 00,128,536 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Intuit\QuickBooks 2005\QBDBMgr.exe
PRC - [2009/04/24 15:03:12 | 00,124,192 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
PRC - [2009/05/18 11:29:22 | 01,556,480 | ---- | M] (DeFNiC Software) -- C:\Program Files\Dispatched\Poll.exe
PRC - [2009/07/20 13:14:32 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/26 10:41:46 | 00,214,256 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP [On_Demand | Stopped])
SRV - [2007/08/20 13:27:26 | 00,144,960 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe -- (CAISafe [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/02/17 10:03:35 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Dfssvc.exe -- (Dfs [Auto | Running])
SRV - [2003/09/10 15:26:10 | 00,021,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe -- (DHCPServer [Auto | Running])
SRV - [2009/02/16 07:37:19 | 00,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dns.exe -- (DNS [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/05/01 14:28:47 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2007/02/17 10:03:06 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2007/02/17 10:03:42 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (IISADMIN [Auto | Running])
SRV - [2007/02/17 10:03:42 | 00,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ismserv.exe -- (IsmServ [Disabled | Stopped])
SRV - [2009/03/31 12:26:01 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/02/17 10:03:43 | 00,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\llssrv.exe -- (LicenseService [Auto | Running])
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2003/09/10 19:43:05 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector [Disabled | Stopped])
SRV - [2003/09/10 15:26:10 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH [Auto | Running])
SRV - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -- (MSSQL$ACT7 [Auto | Running])
SRV - [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe -- (MSSQL$SBSMONITORING [Disabled | Stopped])
SRV - [2008/12/16 21:39:30 | 09,158,656 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe -- (MSSQL$SHAREPOINT [Auto | Running])
SRV - [2005/05/04 05:50:26 | 00,073,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/02/17 10:03:42 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (NntpSvc [Auto | Running])
SRV - [2007/02/17 10:03:53 | 00,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntfrs.exe -- (NtFrs [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/09/29 13:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2009/04/23 18:49:56 | 00,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService [Auto | Running])
SRV - [2007/05/24 07:08:44 | 00,061,440 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService [On_Demand | Stopped])
SRV - [2007/02/17 10:03:58 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\RSoPProv.exe -- (RSoPProv [On_Demand | Stopped])
SRV - [2003/09/10 15:26:10 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\sacsvr.dll -- (sacsvr [On_Demand | Stopped])
SRV - File not found -- Service key not found. -- (SBCore [Unknown | Running])
SRV - [2007/02/17 10:03:42 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (SMTPSVC [Auto | Running])
SRV - [2007/04/19 14:08:48 | 00,031,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE -- (SPTimer [Auto | Running])
SRV - [2002/12/17 19:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -- (SQLAgent$ACT7 [On_Demand | Stopped])
SRV - [2002/12/17 17:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE -- (SQLAgent$SBSMONITORING [Disabled | Stopped])
SRV - [2008/12/16 18:51:14 | 00,323,584 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE -- (SQLAgent$SHAREPOINT [On_Demand | Stopped])
SRV - [2003/09/10 15:26:10 | 00,050,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\trksvr.dll -- (TrkSvr [Disabled | Stopped])
SRV - [2007/02/17 10:04:02 | 00,071,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tssdis.exe -- (Tssdis [Disabled | Stopped])
SRV - [2007/02/17 10:04:05 | 00,039,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
SRV - [2007/02/17 10:03:06 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (uploadmgr [Disabled | Stopped])
SRV - [2007/08/20 13:36:42 | 00,242,952 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe -- (VETMSGNT [Auto | Running])
SRV - [2007/02/17 10:02:54 | 00,216,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\iisw3adm.dll -- (W3SVC [Auto | Running])
SRV - [2009/01/15 06:36:51 | 00,154,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wins.exe -- (WINS [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2005/03/04 10:58:04 | 00,241,815 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\aarich.sys -- (aarich [Boot | Running])
DRV - [2005/03/04 10:58:08 | 00,127,232 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2007/02/17 02:02:56 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\ClusDisk.sys -- (ClusDisk [Disabled | Stopped])
DRV - [2007/02/17 01:51:18 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver [Boot | Running])
DRV - [2007/02/17 02:06:39 | 00,020,480 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 05:32:23 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2003/03/25 00:09:24 | 00,009,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\serscan.sys -- (StillCam [On_Demand | Running])
DRV - [2005/03/04 10:58:10 | 00,010,752 | ---- | M] (Intel ® Corporation) -- C:\WINDOWS\System32\DRIVERS\svgam.sys -- (svgam [On_Demand | Running])
DRV - [2007/08/20 13:38:16 | 00,026,376 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-filt.sys -- (VET-FILT [System | Running])
DRV - [2007/08/20 13:38:16 | 00,021,128 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-rec.sys -- (VET-REC [System | Running])
DRV - [2009/05/26 10:41:45 | 00,108,368 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\veteboot.sys -- (VETEBOOT [On_Demand | Running])
DRV - [2009/05/26 10:41:45 | 00,880,560 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetefile.sys -- (VETEFILE [System | Running])
DRV - [2007/08/20 13:38:20 | 00,021,512 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetfddnt.sys -- (VETFDDNT [System | Running])
DRV - [2007/08/20 13:38:22 | 00,032,264 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetmonnt.sys -- (VETMONNT [System | Running])
DRV - [2007/02/17 02:29:40 | 00,169,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\wlbs.sys -- (WLBS [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-790875022-3342801166-26691914-500\S-1-5-21-790875022-3342801166-26691914-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/03/31 10:23:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/31 12:26:01 | 00,000,000 | ---D | M]


O1 HOSTS File: (7686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 206.53.61.77 google.ae
O1 - Hosts: 206.53.61.77 google.as
O1 - Hosts: 206.53.61.77 google.at
O1 - Hosts: 206.53.61.77 google.az
O1 - Hosts: 206.53.61.77 google.ba
O1 - Hosts: 206.53.61.77 google.be
O1 - Hosts: 206.53.61.77 google.bg
O1 - Hosts: 206.53.61.77 google.bs
O1 - Hosts: 206.53.61.77 google.ca
O1 - Hosts: 206.53.61.77 google.cd
O1 - Hosts: 206.53.61.77 google.com.gh
O1 - Hosts: 206.53.61.77 google.com.gi
O1 - Hosts: 206.53.61.77 google.com.hk
O1 - Hosts: 206.53.61.77 google.com.jm
O1 - Hosts: 206.53.61.77 google.com.ly
O1 - Hosts: 206.53.61.77 google.com.mx
O1 - Hosts: 206.53.61.77 google.com.my
O1 - Hosts: 206.53.61.77 google.com.na
O1 - Hosts: 206.53.61.77 google.com.nf
O1 - Hosts: 206.53.61.77 google.com.ng
O1 - Hosts: 206.53.61.77 google.ch
O1 - Hosts: 206.53.61.77 google.com.np
O1 - Hosts: 206.53.61.77 google.com.om
O1 - Hosts: 206.53.61.77 google.com.pa
O1 - Hosts: 206.53.61.77 google.com.pr
O1 - Hosts: 250 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-790875022-3342801166-26691914-500\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-790875022-3342801166-26691914-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AuCaption] File not found
O4 - HKLM..\Run: [AuFlag] Reg Error: Invalid data type. File not found
O4 - HKLM..\Run: [AuRemind] C:\WINDOWS\..\dell\openmanage\remind.exe File not found
O4 - HKLM..\Run: [CAVRID] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)
O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
O4 - HKLM..\Run: [DWPersistentQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-790875022-3342801166-26691914-500..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-790875022-3342801166-26691914-500..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-790875022-3342801166-26691914-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\System32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\System32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\System32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [!teamcfg] C:\WINDOWS\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\System32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\russ\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-790875022-3342801166-26691914-500\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1161461519140 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1161461207265 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: WebSignature Control http://www.dispatched.com/Files/WebSign.x86.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Purologix.local
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/21 14:46:59 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/10/17 09:56:50 | 00,000,036 | RH-- | M] () - E:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2002/10/28 13:03:12 | 00,000,000 | RH-D | M] - E:\autorun -- [ FAT32 ]
O33 - MountPoints2\{d4c7dbc8-fc38-11dd-872a-00132047b84d}\Shell - "" = AutoRun
O33 - MountPoints2\{d4c7dbc8-fc38-11dd-872a-00132047b84d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d4c7dbc8-fc38-11dd-872a-00132047b84d}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/07/20 13:14:25 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/07/15 10:16:37 | 00,561,358 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\hampton.bmp
[2009/07/14 20:03:09 | 00,068,591 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2009/07/14 19:49:04 | 00,323,857 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\TES ClO2 Treatment.pdf
[2009/07/11 13:33:51 | 00,188,316 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\runscanner.run
[2009/07/11 13:19:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Runscanner.net
[2009/07/11 13:19:00 | 01,402,624 | ---- | C] (Runscanner.net) -- C:\Documents and Settings\Administrator\Desktop\runscanner.exe
[2009/07/10 12:02:17 | 00,007,801 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rsit 5.JPG
[2009/07/10 12:01:31 | 00,107,100 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rsit 4.JPG
[2009/07/10 12:01:00 | 00,116,129 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rsit 3.JPG
[2009/07/10 11:59:51 | 00,111,754 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rsit 2.JPG
[2009/07/10 11:59:19 | 00,114,433 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rsit 1.JPG
[2009/07/10 11:57:30 | 00,000,000 | ---D | C] -- C:\rsit
[2009/07/10 11:56:16 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RSIT.exe
[2009/07/10 10:40:09 | 00,359,929 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/07/06 15:42:01 | 00,033,357 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RO P&ID 07.06.pdf
[2009/07/06 15:41:49 | 00,023,143 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RO LAYOUT 07.06.pdf
[2009/07/03 10:48:19 | 03,452,214 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dispatch map.bmp
[2009/07/02 15:35:02 | 00,014,848 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\smally.xls
[2009/07/02 13:51:28 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/07/02 13:51:27 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/06/29 08:11:31 | 23,975,176 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Administrator\Desktop\sdsetup.exe
[2008/11/05 12:09:24 | 00,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2008/11/05 12:09:24 | 00,000,146 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2008/08/14 11:13:23 | 00,030,793 | ---- | C] () -- C:\WINDOWS\System32\crtslv.dll
[2008/08/14 11:13:23 | 00,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[2008/07/10 11:23:00 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/07/10 11:22:09 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2008/07/10 11:22:08 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/10/22 13:09:24 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/21 19:27:42 | 00,001,682 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/10/21 19:27:42 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\D213DFF579.sys
[2006/10/21 17:18:30 | 00,000,648 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2006/10/21 15:10:49 | 00,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2006/10/21 15:10:07 | 00,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2006/10/21 15:10:07 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2006/10/21 15:10:06 | 00,017,579 | ---- | C] () -- C:\WINDOWS\System32\nntpctrs.ini
[2006/10/21 15:09:59 | 00,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2006/10/21 15:09:59 | 00,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2006/10/21 15:09:55 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2006/10/21 15:03:59 | 00,011,597 | ---- | C] () -- C:\WINDOWS\System32\dnsperf.ini
[2006/10/21 15:02:31 | 00,002,360 | ---- | C] () -- C:\WINDOWS\System32\dhcpctrs.ini
[2006/10/21 14:36:28 | 00,000,628 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/10/21 14:35:44 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/10/21 14:35:08 | 00,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2006/10/21 14:34:24 | 00,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2006/10/21 14:34:24 | 00,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2006/10/21 14:34:22 | 00,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2006/10/21 14:33:20 | 00,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2006/10/21 14:33:14 | 00,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[20 C:\WINDOWS\*.tmp files]
[2009/07/20 13:14:32 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/07/20 13:02:40 | 00,002,586 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2009/07/20 12:00:06 | 00,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{0986aa0d-6112-11db-8dca-806e6f6e6963}.job
[2009/07/20 08:12:12 | 00,359,929 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/07/19 16:43:07 | 00,000,600 | ---- | M] () -- C:\WINDOWS\tasks\Back Up Small Business Server.job
[2009/07/17 08:50:32 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/17 08:50:19 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/16 11:59:34 | 04,303,126 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/07/16 08:47:07 | 00,004,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ScheduledItems
[2009/07/16 08:47:01 | 00,001,682 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/07/15 10:16:37 | 00,561,358 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\hampton.bmp
[2009/07/15 03:02:49 | 00,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/07/14 20:13:15 | 00,068,591 | ---- | M] () -- C:\WINDOWS\hpoins05.dat
[2009/07/14 20:03:05 | 00,000,628 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/14 19:49:05 | 00,323,857 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\TES ClO2 Treatment.pdf
[2009/07/11 13:33:51 | 00,188,316 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\runscanner.run
[2009/07/11 13:19:12 | 01,402,624 | ---- | M] (Runscanner.net) -- C:\Documents and Settings\Administrator\Desktop\runscanner.exe
[2009/07/10 12:12:20 | 00,007,801 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rsit 5.JPG
[2009/07/10 12:01:32 | 00,107,100 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rsit 4.JPG
[2009/07/10 12:01:00 | 00,116,129 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rsit 3.JPG
[2009/07/10 11:59:51 | 00,111,754 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rsit 2.JPG
[2009/07/10 11:59:19 | 00,114,433 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rsit 1.JPG
[2009/07/10 11:56:18 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RSIT.exe
[2009/07/07 11:10:56 | 24,539,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/07/06 15:42:01 | 00,033,357 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RO P&ID 07.06.pdf
[2009/07/06 15:41:49 | 00,023,143 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RO LAYOUT 07.06.pdf
[2009/07/03 10:48:19 | 03,452,214 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dispatch map.bmp
[2009/07/02 15:35:02 | 00,014,848 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\smally.xls
[2009/07/02 13:51:28 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/06/29 08:11:31 | 23,975,176 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Administrator\Desktop\sdsetup.exe
< End of report >

extras text

OTL Extras logfile created on: 7/20/2009 1:14:50 PM - Run 1
OTL by OldTimer - Version 3.0.9.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 48.60% Memory free
3.84 Gb Paging File | 2.98 Gb Available in Paging File | 77.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 136.71 Gb Total Space | 102.68 Gb Free Space | 75.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111.76 Gb Total Space | 81.89 Gb Free Space | 73.28% Space Free | Partition Type: FAT32
Drive F: | 12.13 Gb Total Space | 12.00 Gb Free Space | 98.92% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PUREWATER
Current User Name: administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0C753D2F-C64A-44B9-8FF4-A7752D8F2EC7}" = Windows Small Business Server Admin
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2734011B-3709-45B2-A946-5A1ADB1AFCFE}" = Windows Small Business Server Documents
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{31271095-CD3A-4C9F-89F6-B5F6F3B35636}" = Windows Small Business Server Remote Portal
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{413CEBC4-ABA1-4AC4-ADFB-69FA195F09AB}" = 7300_Help
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{539B64D9-814D-475C-81EC-B82F3E79C23A}" = ACT!
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5D622FC5-B037-4505-AD5A-60555C2A05E9}" = Microsoft Connector for POP3 Mailboxes
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64A411C9-DB09-4F01-A8D4-2D5227D7A074}" = Windows Small Business Server Licensing
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{65657C59-23A8-4974-B8E0-BA04EBD04E4F}" = Microsoft SQL Server Desktop Engine (SHAREPOINT)
"{66C8DA1B-9156-44B6-B222-2219BC6F21A9}" = Windows Small Business Server Client Setup
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6D48CC96-AC7C-449F-BD06-7C52A791848B}" = 7400
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{83ED1E80-A1B7-4246-BCF1-AC4A88151A6B}" = Microsoft MapPoint North America 2006
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85BCA736-A0F4-448E-9BC1-6EA08693E10B}" = HP Image Zone Express
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8681E826-9DC6-4EAC-84B7-971EA795BD36}" = Microsoft Group Policy Management Console
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{88A6C12D-DED9-412B-9CC2-643F03674EDF}" = Windows Small Business Server Fax Cfg
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{8EFE8B68-29E3-4F11-980B-1CDC9E21B258}" = Windows Small Business Server Connectivity
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91140409-7000-11D3-8CFE-0150048383C9}" = Microsoft Windows SharePoint Services 2.0
"{980735D0-D588-403B-9BCC-AFA6D1D7E254}" = ACT! 2005
"{9EF5B77F-703E-4953-9DA9-186E28A62568}" = 7300Trb
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{ACCB890A-C291-4157-92A1-5A56D71AB047}" = Windows Small Business Server Fax
"{ACE0B250-0370-42D3-B137-16BB4BC0BD61}" = Windows Small Business Server ActiveSync
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7300824-E68F-45F1-BAC1-5F15636C346F}" = Microsoft SQL Server Desktop Engine (SBSMONITORING)
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBCA9AEA-7E95-46B7-B809-F605FE21AD26}" = QuickBooks Customer Manager Version 2
"{E3DD8B4D-D2B2-457A-B5D6-66B5031535A2}" = Windows Small Business Server Backup
"{EB132F7D-C614-40F5-952C-ED7391638A1B}" = Windows Small Business Server Client Experience
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FFFFED3C-5E7E-4C6C-A7B9-8BAB6181852B}" = Windows Small Business Server Monitoring
"5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA" = Windows Small Business Server 2003
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dispatched_is1" = Dispatched v2.3 Trial
"eTrust Suite Personal" = CA Internet Security Suite
"getPlus®_ocx" = getPlus®_ocx
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.7
"HPExtendedCapabilities" = HP Extended Capabilities 4.7
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{980735D0-D588-403B-9BCC-AFA6D1D7E254}" = ACT! 2005
"Magic ISO Maker v5.4 (build 0239)" = Magic ISO Maker v5.4 (build 0239)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Health Monitor 2.1" = Microsoft Health Monitor 2.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pdf995" = Pdf995
"WIC" = Windows Imaging Component
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-790875022-3342801166-26691914-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/19/2009 4:30:09 PM | Computer Name = PUREWATER | Source = VSS | ID = 6013
Description = Sqllib error: OLEDB Error encountered calling IDBInitialize::Initialize.
hr = 0x80040e4d. SQLSTATE: 42000, Native Error: 18456 Error state: 1, Severity: 14
Source:
Microsoft OLE DB Provider for SQL Server Error message: Login failed for user 'NT
AUTHORITY\SYSTEM'.

Error - 7/19/2009 4:43:02 PM | Computer Name = PUREWATER | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 7/19/2009 4:43:06 PM | Computer Name = PUREWATER | Source = SmallBusinessServer | ID = 1054210
Description = One or more components of Small Business Server Backup failed. For
more information, click Backup in Server Management, and view the log files.

Error - 7/20/2009 8:25:36 AM | Computer Name = PUREWATER | Source = QuickBooks | ID = 4
Description =

Error - 7/20/2009 8:25:36 AM | Computer Name = PUREWATER | Source = QuickBooks | ID = 4
Description =

Error - 7/20/2009 8:25:36 AM | Computer Name = PUREWATER | Source = QuickBooks | ID = 4
Description =

Error - 7/20/2009 8:25:48 AM | Computer Name = PUREWATER | Source = QuickBooks | ID = 4
Description =

Error - 7/20/2009 8:25:48 AM | Computer Name = PUREWATER | Source = QuickBooks | ID = 4
Description =

Error - 7/20/2009 8:25:48 AM | Computer Name = PUREWATER | Source = QuickBooks | ID = 4
Description =

Error - 7/20/2009 8:26:23 AM | Computer Name = PUREWATER | Source = QuickBooks | ID = 4
Description =

[ DNS Server Events ]
Error - 4/22/2009 9:04:47 AM | Computer Name = PUREWATER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 4/22/2009 9:04:47 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 4/22/2009 9:04:47 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.Purologix.local. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 4/22/2009 9:04:47 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 4/22/2009 9:04:47 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone Purologix.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 7/17/2009 8:48:44 AM | Computer Name = PUREWATER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 7/17/2009 8:48:44 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 7/17/2009 8:48:44 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.Purologix.local. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 7/17/2009 8:48:44 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 7/17/2009 8:48:44 AM | Computer Name = PUREWATER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone Purologix.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

[ System Events ]
Error - 1/8/2009 1:42:48 PM | Computer Name = PUREWATER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 1/8/2009 1:42:48 PM | Computer Name = PUREWATER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 1/8/2009 1:42:48 PM | Computer Name = PUREWATER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_DEC6DDD2\MFC80.DLL.
Reference
error message: The referenced assembly is not installed on your system. .

Error - 1/8/2009 6:23:36 PM | Computer Name = PUREWATER | Source = NETLOGON | ID = 5513
Description = The computer RUSS tried to connect to the server \\PUREWATER using
the
trust relationship established by the PUROLOGIX domain. However, the computer lost
the correct security identifier (SID) when the domain was reconfigured. Reestablish
the trust relationship.

Error - 1/8/2009 6:38:51 PM | Computer Name = PUREWATER | Source = NETLOGON | ID = 5723
Description = The session setup from computer 'RUSS' failed because the security
database does not contain a trust account 'RUSS$' referenced by the specified computer.



USER
ACTION If this is the first occurrence of this event for the specified computer and
account, this may be a transient issue that doesn't require any action at this time.
Otherwise, the following steps may be taken to resolve this problem: If 'RUSS$'
is a legitimate machine account for the computer 'RUSS', then 'RUSS' should be rejoined
to the domain. If 'RUSS$' is a legitimate interdomain trust account, then the trust
should be recreated. Otherwise, assuming that 'RUSS$' is not a legitimate account,
the following action should be taken on 'RUSS': If 'RUSS' is a Domain Controller,
then the trust associated with 'RUSS$' should be deleted. If 'RUSS' is not a Domain
Controller, it should be disjoined from the domain.

Error - 1/8/2009 6:49:37 PM | Computer Name = PUREWATER | Source = NETLOGON | ID = 5805
Description = The session setup from the computer RUSS failed to authenticate. The
following error occurred: %%5

Error - 1/9/2009 8:26:30 AM | Computer Name = PUREWATER | Source = NETLOGON | ID = 5513
Description = The computer RUSS tried to connect to the server \\PUREWATER using
the
trust relationship established by the PUROLOGIX domain. However, the computer lost
the correct security identifier (SID) when the domain was reconfigured. Reestablish
the trust relationship.

Error - 1/9/2009 12:46:34 PM | Computer Name = PUREWATER | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
RUSS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{4B6EDFB8-EF70-4C3B-ABA2.
The
master browser is stopping or an election is being forced.

Error - 1/9/2009 1:00:36 PM | Computer Name = PUREWATER | Source = NETLOGON | ID = 5513
Description = The computer RUSS tried to connect to the server \\PUREWATER using
the
trust relationship established by the PUROLOGIX domain. However, the computer lost
the correct security identifier (SID) when the domain was reconfigured. Reestablish
the trust relationship.

Error - 1/9/2009 5:00:37 PM | Computer Name = PUREWATER | Source = NETLOGON | ID = 5513
Description = The computer RUSS tried to connect to the server \\PUREWATER using
the
trust relationship established by the PUROLOGIX domain. However, the computer lost
the correct security identifier (SID) when the domain was reconfigured. Reestablish
the trust relationship.


< End of report >


Thanks!

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:14 PM

Posted 23 July 2009 - 04:16 AM

Hi,

There seems to be p2p file sharing stuff (Bittorrent DNA) installed there. Nowadays big part of infections origin from p2p downloads. To reduce infection risk I recommend to uninstall p2p software. If you don't want to uninstall then you still have to make sure none of these programs is running during cleaning process.


Uninstall these vulnerable Javas:
Java™ 6 Update 3
Java™ 6 Update 7


Uninstall old Adobe Reader versions and get the latest one (9.1 + update 9.1.2 for it) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

You seem to have MBAM installed. Good. Please start it and let it update itself. Then run a full scan (let it delete and quarantine its findings) and post back its report.

After that, let's run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Commands
    [resethosts]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log.

Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read the requirements and privacy statement then click on the Accept button.
  • The program will launch and start to download the latest definition files.
  • You will be prompted to install an application from Kaspersky. Click Run
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • Click on Save Report As....
  • Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Save this report to a convenient place.
  • Copy and paste that information into your topic. Is the issue still present?
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 23 July 2009 - 09:25 AM

so just to keep you updated, i was running mbam and it seems that the computer restared itself in the middle of the scan. I had my back turned and was working on my laptop at the time. I am going to try to keep a better eye on things and redo the scan. thoughts if this second scan fails, should i go to the next step?

#8 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 23 July 2009 - 10:21 AM

ok, here is a pic of where it seems to be stuck. it has been there for about 25 minutes now. should i try running in safe mode?

Attached Files



#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:14 PM

Posted 23 July 2009 - 10:40 AM

Hi,

Skip over MBAM part for now. You may try it again (in safe mode if needed) after other steps are done.

Edited by Blade81, 23 July 2009 - 10:40 AM.

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 23 July 2009 - 11:13 AM

I didnt know if you wanted me to post all in one post or not so I'm gonna go ahead and post the otl log file and move onto the next process....
Thanks


All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 39787055 bytes
->Temporary Internet Files folder emptied: 132600964 bytes
->Java cache emptied: 19827133 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6698515 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 63400 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: russ
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: SBS Backup User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1401714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 2864 bytes
RecycleBin emptied: 3783316 bytes

Total Files Cleaned = 194.84 mb


OTL by OldTimer - Version 3.0.9.2 log created on 07232009_120611

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#11 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 24 July 2009 - 07:11 AM

kaspersky log
im going to go back and try mbam again and also try to immunize in spybot as i was having a problem with that too...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 24, 2009
Operating System: Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 23, 2009 12:45:34
Records in database: 2520102
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Z:\

Scan statistics:
Files scanned: 66160
Threat name: 4
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 02:22:44


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\My Documents\Downloads\AVG Anti-Virus 8.5.325\AVG Anti-Virus 8.5.325.EXE Infected: Trojan.Win32.FraudPack.mmy 1
C:\Program Files\Dispatched\Support.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\WINDOWS\system32\drivers\etc\hosts.20090521-100433.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090521-100550.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090702-122248.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090702-122259.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123000.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123024.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123218.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123251.backup Infected: Trojan.Win32.Qhost.lph 1
C:\WINDOWS\system32\drivers\etc\hosts.20090710-091855.backup Infected: Trojan.Win32.Qhost.lph 1
C:\_OTL\MovedFiles\07232009_120611\WINDOWS\System32\drivers\etc\hosts Infected: Trojan.Win32.Qhost.lph 1
E:\NCSRT\Systems\11 Programs & Backup CD\Vinny Chrom\VNC Program\vnc-4.0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

The selected area was scanned.

#12 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 24 July 2009 - 07:49 AM

ok, mbam failed. it rebooted in the middle of it, maybe about 19 minutes in
on restart i got error reports etc and have included a screen cap
gonna try spybot next
we had talked about safe mode but while im relatively computer saavy i dont feel comfortable taking any steps unadvised since we have gotten so deep into things
actually in saying that, i will hold off on a spybot scan
ok
and as for the attachment, i dont have room for it to be visible so if you would like to see it, let me know what image/s you would like me to delete.
God bless
Will

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:14 PM

Posted 24 July 2009 - 01:22 PM

Hi Will,

Is this downloaded from AVG official site:
C:\Documents and Settings\Administrator\My Documents\Downloads\AVG Anti-Virus 8.5.325\AVG Anti-Virus 8.5.325.EXE ?

If not, delete the file and AVG Anti-Virus 8.5.325 folder itself.

Delete also these files:
C:\WINDOWS\system32\drivers\etc\hosts.20090521-100433.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090521-100550.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090702-122248.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090702-122259.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123000.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123024.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123218.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090702-123251.backup
C:\WINDOWS\system32\drivers\etc\hosts.20090710-091855.backup

Please re-run OTL and post back OTL.txt contents.

Also, you may run Spybot at this point. Let's leave MBAM thing later.

Have you tested searches? Is redirecting still occuring?

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 27 July 2009 - 09:29 AM

The original problem seems to be gone with the google links. I'd still feel more comfortable not closing out until 1, you say we're clear; and 2, full mbam scan as well as spybot immunization.

What is a good virus scanner for a server? Basically I'm a huge fan of avast but the server edition costs money that my boss will not be happy with paying.

below is the latest otl log. The log seems to be a lot shorter, did i do something wrong? i was compairing it with the original otl log and there was much more information in that first one.

Thanks
Will

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 77004449 bytes
->Temporary Internet Files folder emptied: 34307063 bytes
->Java cache emptied: 127542 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 5181 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: russ
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: SBS Backup User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 64573661 bytes

Total Files Cleaned = 167.93 mb


OTL by OldTimer - Version 3.0.9.2 log created on 07272009_101151

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#15 madsam64

madsam64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 27 July 2009 - 10:11 AM

fyi, spybot ran fully and immunized as well. it found right click media and got rid of it. I'll wait on hearing from you before i attempt mbam again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users