Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disabled.Securitycenter can't be removed


  • This topic is locked This topic is locked
14 replies to this topic

#1 Linkusmax

Linkusmax

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 23 March 2010 - 05:30 PM

I have a windows 2008 server which has had task manager, regedit and various security tools disabled, Malwarebytes says it will remove them but they are still there after the reboot. I have never stuck a USB in the drive and the only software run on it by myself is corporate so I expect it has come from something stuck on one of the network drives.

Log Files for the server

When I run GMER it says the system cannot find the path specified then lists the path to my user directory (It is cut off half way with an ellipse

I would appreciate any help you can provide, as while the virus doesn't seem to be affecting the servers performance it is worrying to have there.

CODE
DDS (Ver_10-03-17.01) - NTFSX64  
Run by administrator at  9:21:34.11 on Wed 03/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Server® 2008 Standard   6.0.6002.2.1252.1.1033.18.2037.51 [GMT 11:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\LogonUI.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Altiris\eXpress\Deployment Server\axengine.exe
C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PxeCfgService.exe
C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PxeMgr.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe
C:\Program Files\HP\Cissesrv\cissesrv.exe
C:\Windows\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\Windows\system32\DFSRs.exe
C:\Windows\system32\dns.exe
C:\Program Files (x86)\WebHelpDesk\FrontBase4\bin\FrontBase.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\System32\ismserv.exe
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\ntfrs.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\sysdown.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\Windows\system32\svchost -k TSLicensing
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files (x86)\WebHelpDesk\bin\wrapper\bin\wrapper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\dfssvc.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files (x86)\WebHelpDesk\bin\jre\bin\java.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Windows\System32\svchost.exe -k tapisrv
C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\Pxemtftp.exe
C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PXEService.exe
C:\Windows\system32\iashost.exe
C:\Windows\System32\msdtc.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\inetsrv\w3wp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\LogMeIn\x64\update\raupdate.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\HP\NCU\cpqteam.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardian.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Administrator.MCP\Desktop\dds.scr
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Marist College Pagewood
uStart Page = hxxp://www.maristpagewood.catholic.edu.au
uDefault_Page_URL = hxxp://www.maristpagewood.catholic.edu.au
mDefault_Page_URL = hxxp://www.marist.pagewood.syd.catholic.edu.au
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~3\office12\GRA8E1~1.DLL
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [Symantec Backup Exec System Recovery 7.0] "c:\program files (x86)\symantec\backup exec system recovery\agent\VProTray.exe"
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoAutorun = 1 (0x1)
mPolicies-explorer: DontSetAutoplayCheckbox = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~3\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
TCP: {1EC6EB39-2E5E-48BD-A71F-FD7F439C88F5} = 10.82.96.50,10.82.96.52
TCP: {3B06FB6D-E63A-4192-AE78-899691364642} = 113.29.215.26
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~3\office12\GR99D3~1.DLL
AppInit_DLLs: HookDLL.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~3\office12\GRA8E1~1.DLL
SecurityProviders: credssp.dll, pwdssp.dll
LSA: Notification Packages = scecli RASSFM
mASetup: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
mASetup: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser

============= SERVICES / DRIVERS ===============

R0 HpCISSs2;HpCISSs2;c:\windows\system32\drivers\HpCISSs2.sys [2009-6-3 86056]
R0 storflt;Disk VMBUS Acceleration Filter Driver;c:\windows\system32\drivers\storflt.sys [2008-1-20 42440]
R1 DfsDriver;DFS Namespace Server Filter Driver;c:\windows\system32\drivers\dfs.sys [2008-1-20 45112]
R2 Altiris eXpress Server;Altiris eXpress Server;c:\program files (x86)\altiris\express\deployment server\axengine.exe [2009-7-15 2424832]
R2 Altiris PXE Config Helper;Altiris PXE Config Helper;c:\program files (x86)\altiris\express\deployment server\pxe\PxeCfgService.exe [2009-7-15 458752]
R2 Altiris PXE Manager;Altiris PXE Manager;c:\program files (x86)\altiris\express\deployment server\pxe\PxeMgr.exe [2009-7-15 790528]
R2 Backup Exec System Recovery;Backup Exec System Recovery;c:\program files (x86)\symantec\backup exec system recovery\agent\VProSvc.exe [2007-3-28 3290728]
R2 Cissesrv;HP Smart Array SAS/SATA Event Notification Service;c:\program files\hp\cissesrv\cissesrv.exe [2008-11-14 155648]
R2 DNS;DNS Server;c:\windows\system32\dns.exe [2009-4-12 639488]
R2 FrontBaseServicewhd;Web Help Desk Embedded Database;c:\program files (x86)\webhelpdesk\frontbase4\bin\frontbase.exe whd --> c:\program files (x86)\webhelpdesk\frontbase4\bin\FrontBase.exe whd [?]
R2 IAS;Network Policy Server;c:\windows\system32\svchost.exe -k netsvcs [2008-1-19 27648]
R2 IsmServ;Intersite Messaging;c:\windows\system32\ismserv.exe [2008-1-20 59392]
R2 kdc;Kerberos Key Distribution Center;c:\windows\system32\lsass.exe [2008-1-19 11264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\logmein\x64\rainfo.sys [2008-7-24 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-28 72216]
R2 NtFrs;File Replication Service;c:\windows\system32\ntfrs.exe [2009-4-12 1019392]
R3 Altiris PXE MTFTP Server;Altiris PXE MTFTP Server;c:\program files (x86)\altiris\express\deployment server\pxe\PxeMtftp.exe [2009-7-15 372736]
R3 Altiris PXE Server;Altiris PXE Server;c:\program files (x86)\altiris\express\deployment server\pxe\PxeService.exe [2009-7-15 352256]
R3 CpqCiDrv;HP iLO Management Channel Interface Driver;c:\windows\system32\drivers\cpqcidrv.sys [2009-6-3 51752]
R3 hpqilo2;hpqilo2;c:\windows\system32\drivers\hpqilo2.sys [2009-6-3 156200]
R3 q57nd60a;HP NC326i PCIe Dual Port Gigabit Server Adapter;c:\windows\system32\drivers\q57nd60a.sys [2009-6-3 390656]
S0 sacdrv;sacdrv;c:\windows\system32\drivers\sacdrv.sys [2008-1-20 103992]
S2 Altiris Deployment Server Console Manager;Altiris Deployment Server Console Manager;c:\program files (x86)\altiris\express\deployment web console\ConsoleManager.exe [2009-7-15 94208]
S2 Altiris Deployment Server Data Manager;Altiris Deployment Server Data Manager;c:\program files (x86)\altiris\express\deployment server\DataManager.exe [2009-7-15 94208]
S2 Altiris Deployment Server DB Management;Altiris Deployment Server DB Management;c:\program files (x86)\altiris\express\deployment server\dbmanager.exe [2009-7-15 864256]
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60a.sys [2008-1-19 214016]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-4-12 89920]
S3 CPQTeam;HP Network Configuration Utility;c:\windows\system32\drivers\cpqteam.sys [2009-1-21 225792]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-1-19 27648]
S3 Portmap;Server for NFS Open RPC (ONCRPC) Portmapper;c:\windows\system32\drivers\portmap.sys [2008-1-20 56832]
S3 RpcXdr;Server for NFS Open RPC (ONCRPC);c:\windows\system32\drivers\rpcxdr.sys [2009-4-12 89600]
S4 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\drivers\bxvbda.sys [2008-1-20 429568]
S4 ioatdma;Intel(R) QuickData Technology Device;c:\windows\system32\drivers\qd260x64.sys [2008-1-20 35328]
S4 s3cap;Microsoft Emulated S3 Device Cap Driver;c:\windows\system32\drivers\s3cap.sys [2008-1-20 16840]
S4 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2008-1-20 36328]
S4 storvsp;Microsoft Virtual Disk Server Driver;c:\windows\system32\drivers\storvsp.sys [2008-1-20 122880]
S4 Vid;Virtualization Infrastructure Driver;c:\windows\system32\drivers\Vid.sys [2008-1-20 195072]
S4 vmbus;VMBus;c:\windows\system32\drivers\vmbus.sys [2008-1-20 217048]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-03-23 00:57:15    0    d-----w-    c:\program files (x86)\Trend Micro
2010-03-14 00:00:27    55096    ----a-w-    c:\windows\system32\drivers\v2imount.sys
2010-03-14 00:00:27    19256    ----a-w-    c:\windows\system32\drivers\vproeventmonitor.sys
2010-03-14 00:00:27    18224    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-14 00:00:27    151656    ----a-w-    c:\windows\system32\drivers\WimFltr.sys
2010-03-14 00:00:27    124208    ----a-w-    c:\windows\system32\GEARAspi64.dll
2010-03-14 00:00:27    109360    ----a-w-    c:\windows\syswow64\GEARAspi.dll
2010-03-14 00:00:26    208696    ----a-w-    c:\windows\system32\drivers\symsnap.sys
2010-03-14 00:00:09    0    d-----w-    c:\program files (x86)\common files\Symantec Shared
2010-03-14 00:00:08    0    d-----w-    c:\program files (x86)\Symantec
2010-03-09 04:19:21    332228096    ----a-w-    C:\ReporterPro
2010-03-02 03:47:01    0    d-----w-    c:\program files\Microsoft
2010-03-02 03:47:01    0    d-----w-    c:\program files (x86)\Microsoft
2010-03-02 03:39:12    0    ----a-w-    c:\users\administrator.mcp\php
2010-03-02 03:34:44    0    d-----w-    C:\PHP
2010-03-02 02:54:35    0    d-----w-    c:\windows\Migration
2010-03-01 04:09:15    0    ----a-w-    c:\users\administrator.mcp\appcmd
2010-03-01 00:45:16    0    d-----w-    c:\program files (x86)\Understanding Faith
2010-02-22 03:39:58    0    d-----w-    c:\users\admini~1.mcp\appdata\roaming\Malwarebytes
2010-02-22 03:39:27    0    d-----w-    c:\programdata\Malwarebytes
2010-02-22 03:39:26    22104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-02-22 03:39:26    0    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware

==================== Find3M  ====================

2009-12-01 22:27:40    86016    ----a-w-    c:\windows\inf\infstrng.dat
2009-12-01 22:27:40    86016    ----a-w-    c:\windows\inf\infstor.dat
2009-12-01 22:27:40    51200    ----a-w-    c:\windows\inf\infpub.dat
2009-04-11 16:18:05    665600    ----a-w-    c:\windows\inf\drvindex.dat
2008-01-19 14:16:23    174    --sha-w-    c:\program files\desktop.ini
2008-01-19 14:16:23    174    --sha-w-    c:\program files (x86)\desktop.ini
2008-01-19 14:02:16    30674    ----a-w-    c:\windows\inf\perflib\0409\perfd.dat
2008-01-19 14:02:16    30674    ----a-w-    c:\windows\inf\perflib\0409\perfc.dat
2008-01-19 14:02:16    287440    ----a-w-    c:\windows\inf\perflib\0409\perfi.dat
2008-01-19 14:02:16    287440    ----a-w-    c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12    287440    ----a-w-    c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12    287440    ----a-w-    c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10    30674    ----a-w-    c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10    30674    ----a-w-    c:\windows\inf\perflib\0000\perfc.dat
2009-08-18 12:53:50    245760    --sha-w-    c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-07 01:48:24    16384    --sha-w-    c:\windows\temp\cookies\index.dat
2009-08-07 01:48:24    16384    --sha-w-    c:\windows\temp\history\history.ie5\index.dat
2009-08-07 01:48:24    16384    --sha-w-    c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-01-19 13:54:05    8192    --sha-w-    c:\windows\users\default\NTUSER.DAT

============= FINISH:  9:23:13.32 ===============


CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:27 AM, on 3/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.maristpagewood.catholic.edu.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maristpagewood.catholic.edu.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.marist.pagewood.syd.catholic.edu.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Marist College Pagewood
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec Backup Exec System Recovery 7.0] "C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\users\administrator.mcp\windows\system32\nlaapi.dll' missing
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://www.maristpagewood.catholic.edu.au
O15 - ESC Trusted Zone: http://clients1.google.com.au
O15 - ESC Trusted Zone: http://www.google.com.au
O15 - ESC Trusted Zone: *.internet%20explorer%20enchanced%20security
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mcp.nsw.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC6EB39-2E5E-48BD-A71F-FD7F439C88F5}: NameServer = 10.82.96.50,10.82.96.52
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B06FB6D-E63A-4192-AE78-899691364642}: NameServer = 113.29.215.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mcp.nsw.edu.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC6EB39-2E5E-48BD-A71F-FD7F439C88F5}: NameServer = 10.82.96.50,10.82.96.52
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: HookDLL.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Altiris Deployment Server Console Manager -   - C:\Program Files (x86)\Altiris\eXpress\Deployment Web Console\ConsoleManager.exe
O23 - Service: Altiris Deployment Server Data Manager -   - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\\DataManager.exe
O23 - Service: Altiris Deployment Server DB Management - Altiris, Inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\\dbmanager.exe
O23 - Service: Altiris eXpress Server - Altiris, Inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\\axengine.exe
O23 - Service: Altiris PXE Config Helper - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PxeCfgService.exe
O23 - Service: Altiris PXE Manager - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PxeMgr.exe
O23 - Service: Altiris PXE MTFTP Server - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\Pxemtftp.exe
O23 - Service: Altiris PXE Server - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PXEService.exe
O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Unknown owner - C:\Windows\system32\cpqrcmc.exe (file missing)
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)
O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)
O23 - Service: Web Help Desk Embedded Database (FrontBaseServicewhd) - Unknown owner - C:\Program Files (x86)\WebHelpDesk\FrontBase4\bin\FrontBase.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30005 (MSFTPSVC) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: File Replication Service (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Unknown owner - C:\Windows\system32\sysdown.exe (file missing)
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: Web Help Desk (webhelpdesk) - Unknown owner - C:\Program Files (x86)\WebHelpDesk\bin\wrapper\bin\wrapper.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSvc) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)

--
End of file - 9651 bytes


CODE
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18702

3/23/2010 11:56:52 AM
mbam-log-2010-03-23 (11-56-39).txt

Scan type: Quick Scan
Objects scanned: 2138376
Time elapsed: 52 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by Linkusmax, 23 March 2010 - 10:43 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 27 March 2010 - 04:58 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Linkusmax

Linkusmax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 28 March 2010 - 09:50 PM

Detailed Description

I have a windows 2008 server which has had task manager, regedit and various security tools disabled, Malwarebytes says it will remove them but they are still there after the reboot. I have never stuck a USB in the drive and the only software run on it by myself is corporate so I expect it has come from something stuck on one of the network drives.

some of my software which uses a version of .net framework is giving me an error saying the application failed to initialize properly (0xc000007b) even though I have reinstalled the framework (although I am not 100% sure this is virus related)

I have also run McAffe Viruscan 8.7i

Requested Logs

OTL

OTL.txt
OTL logfile created on: 3/29/2010 1:27:13 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Administrator.MCP\Desktop
64bit-Windows Vista Server Standard Edition (full installation) Service Pack 2 (Version = 6.0.6002) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 8.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.66 Gb Total Space | 43.49 Gb Free Space | 44.53% Space Free | Partition Type: NTFS
Drive D: | 488.28 Gb Total Space | 287.43 Gb Free Space | 58.86% Space Free | Partition Type: NTFS
Drive E: | 345.52 Gb Total Space | 246.36 Gb Free Space | 71.30% Space Free | Partition Type: NTFS
Drive F: | 502.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive T: | 931.51 Gb Total Space | 85.57 Gb Free Space | 9.19% Space Free | Partition Type: NTFS
Drive X: | 136.72 Gb Total Space | 62.92 Gb Free Space | 46.02% Space Free | Partition Type: NTFS
Drive Y: | 50.37 Gb Total Space | 5.45 Gb Free Space | 10.82% Space Free | Partition Type: NTFS

Computer Name: CURRICULUM01
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/29 13:25:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator.MCP\Desktop\OTL.exe
PRC - [2010/03/25 13:54:05 | 000,206,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
PRC - [2010/03/24 17:27:20 | 000,421,216 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
PRC - [2010/03/24 15:34:46 | 002,111,080 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
PRC - [2009/08/31 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/06/05 16:31:10 | 000,049,248 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\WebHelpDesk\bin\jre\bin\java.exe
PRC - [2009/04/12 03:12:49 | 000,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\inetsrv\w3wp.exe
PRC - [2009/04/10 05:00:39 | 000,126,976 | ---- | M] () -- C:\Program Files (x86)\WebHelpDesk\bin\wrapper\bin\wrapper.exe
PRC - [2009/04/10 05:00:38 | 001,716,224 | ---- | M] () -- C:\Program Files (x86)\WebHelpDesk\FrontBase4\bin\FrontBase.exe
PRC - [2009/01/16 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/12/11 10:20:58 | 001,560,576 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\bin\smhstart.exe
PRC - [2008/12/11 10:18:38 | 000,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\bin\rotatelogs.exe
PRC - [2008/12/11 10:18:30 | 000,019,968 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\bin\hpsmhd.exe
PRC - [2008/11/28 14:27:32 | 000,729,088 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
PRC - [2008/01/19 18:33:04 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\cmd.exe
PRC - [2007/03/28 20:40:14 | 003,290,728 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe


========== Modules (SafeList) ==========

MOD - [2010/03/29 13:25:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator.MCP\Desktop\OTL.exe
MOD - [2009/04/12 03:13:24 | 000,063,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\TSAPPCMP.dll
MOD - [2009/04/12 03:12:06 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/08/31 20:07:00 | 000,079,504 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2009/04/12 03:13:26 | 000,642,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\lserver.dll -- (TermServLicensing)
SRV:64bit: - [2009/04/12 03:13:20 | 000,252,928 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/04/12 03:13:10 | 000,604,672 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/04/12 03:12:48 | 000,427,520 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\inetsrv\iisw3adm.dll -- (WAS)
SRV:64bit: - [2009/04/12 03:12:48 | 000,427,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\iisw3adm.dll -- (W3SVC)
SRV:64bit: - [2009/04/12 03:12:48 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV:64bit: - [2009/04/12 03:12:45 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\RSoPProv.exe -- (RSoPProv)
SRV:64bit: - [2009/04/12 03:11:14 | 001,019,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\ntfrs.exe -- (NtFrs)
SRV:64bit: - [2009/04/12 03:11:14 | 000,639,488 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dns.exe -- (DNS)
SRV:64bit: - [2009/04/12 03:11:13 | 000,326,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dfssvc.exe -- (Dfs)
SRV:64bit: - [2009/04/12 03:11:08 | 003,672,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\DFSRs.exe -- (DFSR)
SRV:64bit: - [2009/01/25 05:33:54 | 000,017,960 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\sysdown.exe -- (sysdown)
SRV:64bit: - [2008/11/14 13:21:50 | 000,022,568 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\cpqrcmc.exe -- (CpqRcmc)
SRV:64bit: - [2008/11/14 13:08:48 | 000,155,648 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\HP\Cissesrv\cissesrv.exe -- (Cissesrv)
SRV:64bit: - [2008/01/20 00:52:26 | 000,195,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008/01/20 00:52:17 | 000,059,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\ismserv.exe -- (IsmServ)
SRV:64bit: - [2008/01/20 00:52:06 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\inetsrv\wmsvc.exe -- (WMSvc)
SRV:64bit: - [2008/01/20 00:52:05 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (MSFTPSVC)
SRV:64bit: - [2008/01/20 00:52:05 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV:64bit: - [2008/01/20 00:51:45 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2008/01/20 00:51:44 | 000,026,112 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2008/01/19 19:01:46 | 000,025,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\ias.dll -- (IAS)
SRV - [2010/03/29 12:19:40 | 000,000,000 | ---D | M] [Auto | Running] -- C:\Windows\NTDS -- (NTDS)
SRV - [2010/03/25 20:00:14 | 000,782,336 | ---- | M] (Altiris, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Altiris\eXpress\Deployment Server\dbmanager.exe -- (Altiris Deployment Server DB Management)
SRV - [2010/03/25 20:00:02 | 000,020,480 | ---- | M] ( ) [Auto | Stopped] -- C:\Program Files (x86)\Altiris\eXpress\Deployment Server\DataManager.exe -- (Altiris Deployment Server Data Manager)
SRV - [2009/10/02 12:27:30 | 000,120,640 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe -- (LMIMaint)
SRV - [2009/08/31 20:07:00 | 000,178,920 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe -- (McShield)
SRV - [2009/08/31 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2009/08/31 20:07:00 | 000,019,720 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe -- (McAfeeEngineService)
SRV - [2009/06/03 18:53:47 | 000,000,000 | ---D | M] [Auto | Running] -- C:\Windows\ntfrs -- (NtFrs)
SRV - [2009/04/12 03:12:49 | 000,373,760 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2009/04/12 03:12:49 | 000,373,760 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2009/04/12 03:12:49 | 000,052,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/04/12 03:12:23 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2009/04/12 03:12:12 | 000,042,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2009/04/10 05:00:39 | 000,126,976 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\WebHelpDesk\bin\wrapper\bin\wrapper.exe -- (webhelpdesk)
SRV - [2009/04/10 05:00:38 | 001,716,224 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\WebHelpDesk\FrontBase4\bin\FrontBase.exe -- (FrontBaseServicewhd)
SRV - [2009/03/30 16:37:34 | 002,424,832 | ---- | M] (Altiris, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Altiris\eXpress\Deployment Server\axengine.exe -- (Altiris eXpress Server)
SRV - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2008/12/11 10:20:58 | 001,560,576 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\hp\hpsmh\bin\smhstart.exe -- (SysMgmtHp)
SRV - [2008/11/28 14:27:32 | 000,729,088 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe -- (cpqvcagent)
SRV - [2008/07/24 19:46:08 | 000,057,920 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe -- (LogMeIn)
SRV - [2008/01/19 21:11:31 | 000,000,000 | ---D | M] [Unknown | Running] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2008/01/19 18:34:28 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\ias.dll -- (IAS)
SRV - [2007/03/28 20:40:14 | 003,290,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe -- (Backup Exec System Recovery)
SRV - [2006/11/02 17:35:15 | 000,060,994 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2006/11/02 17:35:15 | 000,055,846 | ---- | M] () [On_Demand | Running] -- C:\Windows\SysWOW64\wbem\vss.mof -- (VSS)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2009/10/02 12:27:18 | 000,087,384 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2009/08/31 20:07:00 | 000,469,144 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2009/08/31 20:07:00 | 000,119,968 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2009/08/31 20:07:00 | 000,097,576 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2009/08/31 20:07:00 | 000,083,784 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfetdik.sys -- (mfetdik)
DRV:64bit: - [2009/08/31 20:07:00 | 000,077,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2009/04/12 03:13:10 | 000,460,800 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/04/12 03:13:09 | 000,089,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rpcxdr.sys -- (RpcXdr) Server for NFS Open RPC (ONCRPC)
DRV:64bit: - [2009/04/12 03:11:01 | 000,122,880 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2009/04/12 03:11:00 | 000,217,048 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/04/12 03:11:00 | 000,195,072 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\vid.sys -- (Vid)
DRV:64bit: - [2009/04/12 03:11:00 | 000,036,328 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/01/25 05:33:52 | 000,156,200 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\hpqilo2.sys -- (hpqilo2)
DRV:64bit: - [2009/01/23 14:18:20 | 000,390,656 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\q57nd60a.sys -- (q57nd60a)
DRV:64bit: - [2009/01/21 14:08:32 | 000,225,792 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\cpqteam.sys -- (CPQTeam)
DRV:64bit: - [2009/01/07 15:40:36 | 000,086,056 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\HpCISSs2.sys -- (HpCISSs2)
DRV:64bit: - [2008/10/16 13:41:40 | 000,051,752 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\cpqcidrv.sys -- (CpqCiDrv)
DRV:64bit: - [2008/07/24 19:46:08 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2008/07/24 19:45:20 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2008/01/22 00:34:14 | 002,210,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV:64bit: - [2008/01/20 00:52:18 | 000,045,112 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\dfs.sys -- (DfsDriver)
DRV:64bit: - [2008/01/20 00:51:49 | 000,056,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\portmap.sys -- (Portmap) Server for NFS Open RPC (ONCRPC)
DRV:64bit: - [2008/01/20 00:51:45 | 000,103,992 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\DRIVERS\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2008/01/20 00:51:36 | 000,429,568 | ---- | M] (Broadcom Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2008/01/20 00:51:36 | 000,042,440 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\storflt.sys -- (storflt)
DRV:64bit: - [2008/01/20 00:51:36 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma) Intel®
DRV:64bit: - [2008/01/20 00:51:36 | 000,016,840 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\s3cap.sys -- (s3cap)
DRV:64bit: - [2008/01/19 17:34:15 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\umpass.sys -- (UMPass)
DRV:64bit: - [2008/01/05 22:22:47 | 000,214,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2007/03/28 20:48:02 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wimfltr.sys -- (WimFltr)
DRV:64bit: - [2007/03/28 20:29:14 | 000,208,696 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\Windows\SysNative\DRIVERS\symsnap.sys -- (symsnap)
DRV:64bit: - [2007/03/28 20:29:10 | 000,055,096 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\v2imount.sys -- (v2imount)
DRV:64bit: - [2007/03/28 20:23:50 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\vproeventmonitor.sys -- (VProEventMonitor)
DRV:64bit: - [2007/03/28 20:12:10 | 000,018,224 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/01/22 11:35:04 | 001,529,045 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\cpqteam.chm -- (CPQTeam)
DRV - [2008/07/24 19:46:10 | 000,015,928 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\rainfo.sys -- (LMIInfo)
DRV - [2006/09/19 08:36:40 | 000,003,066 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)
DRV - [2006/09/19 08:35:23 | 000,001,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.marist.pagewood.syd.catholic.edu.au
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 1.88.96.1;10.82.*.48;10.82.*.*;curriculum01;<local>
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.maristpagewood.catholic.edu.au:3128
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.marist.pagewood.syd.catholic.edu.au
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.82.*.*;uf.localhost;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.maristpagewood.catholic.edu.au:3128






IE - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.maristpagewood.catholic.edu.au
IE - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.maristpagewood.catholic.edu.au

IE - HKU\S-1-5-21-527237240-1682526488-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.maristpagewood.catholic.edu.au
IE - HKU\S-1-5-21-527237240-1682526488-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.maristpagewood.catholic.edu.au



O1 HOSTS File: ([2006/09/19 08:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [CPQTEAM] C:\Program Files\HP\NCU\cpqteam.exe (Hewlett-Packard Company)
O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [Symantec Backup Exec System Recovery 7.0] C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe (Symantec Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutorun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DontSetAutoplayCheckbox = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoHardwareTab = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDeletePrinter = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetConnectDisconnect = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAddPrinter = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyDocuments = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 4
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoManageMyComputerVerb = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseDragDropBands = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: GreyMSIAds = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyGames = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSearchComputerLinkInStartMenu = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoShellSearchButton = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 15
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-3928\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-527237240-1682526488-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 1
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5...heckControl.cab (Windows Genuine Advantage Validation Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mcp.nsw.edu.au
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (HookDLL.DLL) - C:\Windows\SysWow64\HookDll.dll (Wise Solutions, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Key error. - File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29:64bit: - HKLM SecurityProviders - (pwdssp.dll) - File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/16 04:07:16 | 000,000,087 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2008/01/19 18:33:18 | 000,000,349 | RHS- | M] () - T:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2008/01/19 18:33:18 | 000,000,294 | RHS- | M] () - X:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2008/01/19 18:33:18 | 000,000,387 | RHS- | M] () - Y:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\##curriculum#E$\Shell\AutoRun\command - "" = T:\Install FreeAgent Tools.exe -- [2008/01/12 13:27:24 | 145,399,688 | ---- | M] (Seagate )
O33 - MountPoints2\##curriculum#G$\Shell\AutoRun\command - "" = T:\Install FreeAgent Tools.exe -- [2008/01/12 13:27:24 | 145,399,688 | ---- | M] (Seagate )
O33 - MountPoints2\{3f787364-0182-11de-b61f-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{3f787364-0182-11de-b61f-806e6f6e6963}\Shell\AutoRun\command - "" = F:\ROBOLAB254_PC_CD\PC-Install.exe -- [2004/08/04 22:17:34 | 001,172,502 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/29 13:25:24 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator.MCP\Desktop\OTL.exe
[2010/03/24 15:20:40 | 000,000,000 | ---D | C] -- C:\QUARANTINE
[2010/03/24 15:20:13 | 000,469,144 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfehidk.sys
[2010/03/24 15:20:13 | 000,119,968 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeavfk.sys
[2010/03/24 15:20:13 | 000,097,576 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeapfk.sys
[2010/03/24 15:20:13 | 000,083,784 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfetdik.sys
[2010/03/24 15:20:13 | 000,079,504 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\mfevtps.exe
[2010/03/24 15:20:13 | 000,077,104 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mferkdet.sys
[2010/03/24 15:19:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Cisco Systems
[2010/03/24 15:19:47 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2010/03/24 15:19:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee
[2010/03/24 15:19:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\McAfee
[2010/03/23 11:57:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2010/03/14 11:00:27 | 000,151,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\WimFltr.sys
[2010/03/14 11:00:27 | 000,124,208 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysNative\GEARAspi64.dll
[2010/03/14 11:00:27 | 000,109,360 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysWow64\GEARAspi.dll
[2010/03/14 11:00:27 | 000,055,096 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\v2imount.sys
[2010/03/14 11:00:27 | 000,019,256 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\vproeventmonitor.sys
[2010/03/14 11:00:27 | 000,018,224 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys
[2010/03/14 11:00:26 | 000,208,696 | ---- | C] (StorageCraft) -- C:\Windows\SysNative\drivers\symsnap.sys
[2010/03/14 11:00:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2010/03/14 11:00:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec
[2010/03/02 14:47:01 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/03/02 14:47:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft
[2010/03/02 14:34:44 | 000,000,000 | ---D | C] -- C:\PHP
[2010/03/02 13:54:35 | 000,000,000 | ---D | C] -- C:\Windows\Migration
[2010/03/01 11:45:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Understanding Faith
[2007/12/14 16:58:24 | 000,018,944 | ---- | C] ( ) -- C:\Windows\SysWow64\IMPLODE.DLL

========== Files - Modified Within 30 Days ==========

[2010/03/29 13:30:00 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{B7D3AE7C-2D2E-4B94-80AF-D021F33420D9}.job
[2010/03/29 13:30:00 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{703F3BA4-7494-4055-9A3C-B944704A8992}.job
[2010/03/29 13:29:59 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{B648CCCB-1395-48B9-AE8F-F487C2961B9A}.job
[2010/03/29 13:27:23 | 001,572,864 | -HS- | M] () -- C:\Users\Administrator.MCP\NTUSER.DAT
[2010/03/29 13:25:30 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator.MCP\Desktop\OTL.exe
[2010/03/29 13:22:35 | 000,001,460 | ---- | M] () -- C:\Users\Administrator.MCP\AppData\Local\d3d9caps64.dat
[2010/03/29 13:22:31 | 000,006,786 | RHS- | M] () -- C:\Users\Administrator.MCP\ntuser.pol
[2010/03/29 12:56:01 | 000,005,408 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/29 12:56:01 | 000,005,408 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/25 20:58:09 | 000,524,288 | -HS- | M] () -- C:\Users\Administrator.MCP\NTUSER.DAT{6a835f60-c5d8-11dc-a3d7-001a4b3349a0}.TMContainer00000000000000000001.regtrans-ms
[2010/03/25 20:58:09 | 000,065,536 | -HS- | M] () -- C:\Users\Administrator.MCP\NTUSER.DAT{6a835f60-c5d8-11dc-a3d7-001a4b3349a0}.TM.blf
[2010/03/25 15:00:27 | 002,473,525 | -H-- | M] () -- C:\Users\Administrator.MCP\AppData\Local\IconCache.db
[2010/03/25 13:36:06 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/25 13:36:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/25 13:35:45 | 2136,858,624 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/25 13:33:41 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX
[2010/03/24 16:03:28 | 000,154,960 | ---- | M] (Microsoft Corporation) -- C:\Users\Administrator.MCP\Desktop\wpilauncher_n.exe
[2010/03/24 15:20:54 | 000,293,376 | ---- | M] () -- C:\Users\Administrator.MCP\Desktop\epssli1j.exe
[2010/03/24 15:20:52 | 034,298,488 | ---- | M] (Google) -- C:\Users\Administrator.MCP\Desktop\GoogleSketchUpWEN.exe
[2010/03/24 15:20:50 | 025,582,448 | ---- | M] (Microsoft Corporation) -- C:\Users\Administrator.MCP\Desktop\IE8-WindowsVista-x64-ENU.exe
[2010/03/24 09:10:49 | 000,525,824 | ---- | M] () -- C:\Users\Administrator.MCP\Desktop\dds.scr
[2010/03/23 11:57:17 | 000,001,821 | ---- | M] () -- C:\Users\Administrator.MCP\Desktop\HijackThis.lnk
[2010/03/22 09:29:50 | 000,000,133 | ---- | M] () -- C:\Windows\SysWow64\rddw32.ini
[2010/03/12 15:37:24 | 000,008,030 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/03/09 15:13:05 | 332,228,096 | ---- | M] () -- C:\ReporterPro
[2010/03/09 13:37:25 | 000,001,724 | -H-- | M] () -- C:\Users\Administrator.MCP\Documents\Default.rdp
[2010/03/02 17:38:02 | 000,001,263 | ---- | M] () -- C:\Users\Administrator.MCP\Desktop\.htaccess
[2010/03/02 16:26:13 | 000,000,255 | ---- | M] () -- C:\Windows\system.ini
[2010/03/02 16:25:13 | 000,374,184 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/03/02 14:39:12 | 000,000,000 | ---- | M] () -- C:\Users\Administrator.MCP\php
[2010/03/02 14:31:04 | 021,244,928 | ---- | M] () -- C:\Users\Administrator.MCP\Desktop\php-5.2.13-nts-win32-installer.msi
[2010/03/01 15:09:15 | 000,000,000 | ---- | M] () -- C:\Users\Administrator.MCP\appcmd
[2010/03/01 15:02:51 | 000,996,622 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/03/01 15:02:51 | 000,808,870 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/03/01 15:02:51 | 000,173,982 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/03/01 14:56:31 | 009,046,528 | ---- | M] () -- C:\Users\Administrator.MCP\Desktop\rewrite_1.1_amd64_en-US.msi
[2010/03/01 12:11:28 | 000,002,649 | ---- | M] () -- C:\Users\Public\Desktop\First Class 2000.lnk

========== Files Created - No Company Name ==========

[2010/03/24 09:19:28 | 000,525,824 | ---- | C] () -- C:\Users\Administrator.MCP\Desktop\dds.scr
[2010/03/23 11:59:38 | 000,293,376 | ---- | C] () -- C:\Users\Administrator.MCP\Desktop\epssli1j.exe
[2010/03/23 11:57:17 | 000,001,821 | ---- | C] () -- C:\Users\Administrator.MCP\Desktop\HijackThis.lnk
[2010/03/09 15:19:21 | 332,228,096 | ---- | C] () -- C:\ReporterPro
[2010/03/02 17:38:02 | 000,001,263 | ---- | C] () -- C:\Users\Administrator.MCP\Desktop\.htaccess
[2010/03/02 14:39:12 | 000,000,000 | ---- | C] () -- C:\Users\Administrator.MCP\php
[2010/03/02 14:31:04 | 021,244,928 | ---- | C] () -- C:\Users\Administrator.MCP\Desktop\php-5.2.13-nts-win32-installer.msi
[2010/03/01 15:09:15 | 000,000,000 | ---- | C] () -- C:\Users\Administrator.MCP\appcmd
[2010/03/01 14:56:21 | 009,046,528 | ---- | C] () -- C:\Users\Administrator.MCP\Desktop\rewrite_1.1_amd64_en-US.msi
[2010/01/27 16:27:24 | 000,000,133 | ---- | C] () -- C:\Windows\SysWow64\rddw32.ini
[2009/07/15 18:18:36 | 000,253,952 | ---- | C] () -- C:\Windows\SysWow64\pkginfo.dll
[2009/07/15 18:18:36 | 000,241,664 | ---- | C] () -- C:\Windows\SysWow64\RIPInfo.dll
[2009/07/15 18:16:59 | 000,000,109 | ---- | C] () -- C:\Windows\WiseHook.ini
[2009/07/15 18:03:23 | 000,000,103 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/06/05 16:12:25 | 000,684,032 | ---- | C] () -- C:\Windows\SysWow64\libeay32.dll
[2009/06/05 16:12:25 | 000,155,648 | ---- | C] () -- C:\Windows\SysWow64\ssleay32.dll
[2009/06/05 13:57:46 | 000,988,456 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/06/03 18:33:32 | 000,001,460 | ---- | C] () -- C:\Users\Administrator\AppData\Local\d3d9caps64.dat
[2009/06/03 17:04:00 | 000,008,030 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/04/12 03:12:38 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/04/12 03:12:00 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2008/01/20 00:52:45 | 000,001,311 | ---- | C] () -- C:\Windows\SysWow64\DfsMgmt.dll.config
[2008/01/05 22:23:28 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[1999/09/22 18:00:00 | 000,100,352 | ---- | C] () -- C:\Windows\SysWow64\pg32conv.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 368 bytes -> C:\Users\Administrator.MCP\AppData\Local\desktop.ini:722b2b1c349a06abf0e866180e5a7e63
< End of report >

Extras.txt
OTL Extras logfile created on: 3/29/2010 1:27:13 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Administrator.MCP\Desktop
64bit-Windows Vista Server Standard Edition (full installation) Service Pack 2 (Version = 6.0.6002) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 8.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.66 Gb Total Space | 43.49 Gb Free Space | 44.53% Space Free | Partition Type: NTFS
Drive D: | 488.28 Gb Total Space | 287.43 Gb Free Space | 58.86% Space Free | Partition Type: NTFS
Drive E: | 345.52 Gb Total Space | 246.36 Gb Free Space | 71.30% Space Free | Partition Type: NTFS
Drive F: | 502.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive T: | 931.51 Gb Total Space | 85.57 Gb Free Space | 9.19% Space Free | Partition Type: NTFS
Drive X: | 136.72 Gb Total Space | 62.92 Gb Free Space | 46.02% Space Free | Partition Type: NTFS
Drive Y: | 50.37 Gb Total Space | 5.45 Gb Free Space | 10.82% Space Free | Partition Type: NTFS

Computer Name: CURRICULUM01
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"UacDisableNotify" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01D69138-CD5A-479C-8D9D-374829BBED52}" = rport=5357 | protocol=6 | dir=out | app=system |
"{0463C8EA-40DA-4F04-9BBA-2D5499E40565}" = rport=5358 | protocol=6 | dir=out | app=system |
"{04790DB0-A68C-45C6-B547-558087B702ED}" = lport=137 | protocol=17 | dir=in | app=system |
"{04949AB5-EB7C-4F34-95C3-7F983AD9889B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{09173E24-8D59-461F-A359-396A6782C681}" = rport=137 | protocol=17 | dir=out | app=system |
"{0F6F643F-F496-44B0-AC5F-BC2A7F8E3077}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{106C5C1E-DB1A-4E21-AFA3-B3E7B76C4BBF}" = lport=5358 | protocol=6 | dir=in | app=system |
"{148D1DD0-809D-440A-9607-25042E17D551}" = lport=5357 | protocol=6 | dir=in | app=system |
"{1B901E2A-5760-499A-91E1-75530131031C}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
"{2AD9162F-EA45-4CE7-A8DB-4ADC460BAF04}" = lport=137 | protocol=17 | dir=in | app=system |
"{35C41A0C-BE2E-4F4B-B128-F27F6B7C86FD}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{390EFD14-AEC3-4447-9B9B-8255BA3DC573}" = rport=137 | protocol=17 | dir=out | app=system |
"{482D1DD1-8D52-48D6-9D55-C1F7CA376168}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{562DA220-44F1-4447-8F41-F18614A5E1FF}" = rport=5357 | protocol=6 | dir=out | app=system |
"{605FB37E-6913-43E1-BB79-081C3AB6EC2B}" = lport=138 | protocol=17 | dir=in | app=system |
"{60E5E373-229F-4B5C-B167-643D0F54F204}" = rport=138 | protocol=17 | dir=out | app=system |
"{6330139C-E1C2-4765-AD39-E0930CA00935}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{63682DF6-C2B9-4EB4-B518-A64B6A7A9DC9}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{659A2FFF-CAC1-49F7-A96A-3FDD8D862FB4}" = lport=5358 | protocol=6 | dir=in | app=system |
"{67FFB5DE-4726-40DB-A249-4D2958CD7469}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6A788720-F5E9-4ED7-9E26-00C57A42407A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{6F0170F4-9D90-41F8-8E3A-46DC192A5DEB}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{83C75252-6049-4A22-8182-90F7F31C2217}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{84174472-EFD7-4CC3-9E9C-398D2EAC983F}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{8683AD99-4FB5-4708-837E-3345268BD216}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{8950961A-EBE5-47E2-B45D-5B733EEE70A8}" = lport=5357 | protocol=6 | dir=in | app=system |
"{913657AC-92D5-4404-80EB-E44D30A58137}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{9C58D355-F1BD-46C8-B353-EB7F0CB3F8E9}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A25815E6-797A-4A23-A28F-2DBA7196A763}" = lport=3389 | protocol=6 | dir=in | app=system |
"{ACACAE6C-C37F-4D50-83D8-B320F7AD21CE}" = lport=2869 | protocol=6 | dir=in | app=system |
"{AED524F8-898C-454F-AB6E-D831E9953D55}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{B1219B92-60B7-43DB-8BBF-63DF7FD4BC82}" = rport=138 | protocol=17 | dir=out | app=system |
"{C55E7167-E0A1-4F62-AE86-382D8E0D6100}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{CFF9F72E-2768-4FEE-966F-6D73902962B6}" = lport=138 | protocol=17 | dir=in | app=system |
"{E854AB6C-1E45-4F8C-A78B-6ACB39695B91}" = rport=5358 | protocol=6 | dir=out | app=system |
"{FD0CAEFC-CF31-42F7-903D-6EE4F598317F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1324DC85-D8A4-4B21-B7CE-C58DAFBC6950}" = protocol=17 | dir=in | app=c:\rasplus\rasplus_runner.exe |
"{2076E4A0-445B-4180-870A-D696487F990A}" = protocol=6 | dir=out | app=system |
"{2AFF5483-7B3F-4462-9C1B-460CE3D61C7A}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{330B90DF-07B9-4A32-A309-A32C91AB1A3C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{3D807254-545D-4E8D-9634-DF0855BD78E9}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{3F8FC03F-0228-4040-9D22-966B457852CD}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
"{4045B0D4-64EA-465D-AF9C-01C7497D9835}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{54106A2B-7244-4A72-81FE-77790840BCDE}" = protocol=6 | dir=in | app=c:\rasplus\rasplus_runner.exe |
"{54D38A0B-90A4-4F23-992F-A68E532E2F32}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{5B2FA2D9-61F4-42DF-9293-ADC5C1232A32}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{AF96F1BD-9E7F-4520-AB8A-08E37B669C96}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{BB6264E7-8A21-41D5-BEE2-B167EFA513EC}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{E596E86F-21F6-454B-8B11-0E6A404BB773}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
"{F89301F5-8CA6-4B42-A17C-CCB3C9504D3F}" = protocol=6 | dir=out | app=system |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08A2E0FA-6BFC-4BFC-B8EA-8FBBB7DB1EA6}" = Microsoft URL Rewrite Module 1.1 for IIS 7
"{1B918A92-A0BC-4B34-B2EF-AD427332732D}" = Microsoft SQL Server Management Studio Express
"{1DC3CEB2-FC77-412E-929D-CC385EF6D7C9}" = HP Smart Array SAS/SATA Event Notification Service
"{664B714C-5593-4DB4-9669-B53F30C3F3CD}" = HP ProLiant Integrated Management Log Viewer
"{74D49383-7EF9-4FD3-B5B0-73CA22F51CE8}" = HP ProLiant Remote Monitor Service
"{79BF7CB8-1E09-489F-9547-DB3EE8EA3F16}" = Microsoft SQL Server Native Client
"{86177DAE-38B1-49DD-912E-35CB703AB779}" = Microsoft SQL Server VSS Writer
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{B11BFE77-E658-48A4-921E-CC3D89BB6BCA}" = HP Lights-Out Online Configuration Utility
"{B67C01B3-8502-4BE7-AEAB-BBDE910AD3EE}" = Microsoft Web Platform Installer 2.0
"{C6E9540C-4B66-4367-A8CF-570DCFD9F030}" = Administration Pack for IIS 7.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DCEA910B-3269-4F5B-A915-D59293004751}" = HP Insight Diagnostics Online Edition for Windows
"ATI Display Driver" = ATI Display Driver
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{082BDF7B-4810-4599-BF0D-E3AC44EC8524}" = Microsoft ASP.NET 2.0 AJAX Extensions 1.0
"{129B3438-F497-4FA6-A539-97B54CC49AF0}" = HP Array Configuration Utility CLI
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{190B7C41-51D6-4E1B-9962-C8CECEAFA1F9}" = RASplus
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{34D6E797-AA32-455D-8E65-4EBD1AC9DED7}" = HP ProLiant PCI-express Power Management Update for Windows
"{3C4DF0FD-95CF-4F7B-A816-97CEF616948F}" = HP System Management Homepage
"{3DC704FB-E051-4B2E-BA41-ADE9576C1915}" = HP Array Configuration Utility
"{4E5563B6-DE0A-4F3B-A5D6-15789FD12D9B}" = Headless Server Registry Update
"{4E8AEE50-679A-4B0B-824E-9FC01E649D9F}" = Outcomes
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56A86B53-14C2-48E7-9872-1AFEA11F0B85}" = Altiris Deployment Solution - Wise Packager
"{5A5F45AE-0250-4C34-9D89-F10BDDEE665F}" = HP Version Control Agent
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{757A7F5D-F9A1-4DC5-8738-C0A31C658BC8}" = McAfee Agent
"{7E1F99EA-00FE-4489-B3AB-B1F9F18E7744}" = First Class
"{7E4F132D-C3D8-4E07-A549-71F3E739FD7E}" = HP Array Diagnostic Utility
"{7F831576-6246-42C7-B523-55B3F96509CC}" = LogMeIn
"{86F4F32B-77C7-4951-B33C-05D41A8190C1}" = Microsoft RichCopy 4.0
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{A73D6EC1-6FE9-4AA0-9AF5-6FB162E14431}" = PHP 5.2.13
"{A8EA8A55-FDBE-4875-B598-DDC15B298270}" = Symantec Backup Exec System Recovery
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{EB544BEC-924A-4828-81AA-BE31F0C59593}" = First Class Web
"{EFBD6F61-53E8-4F5F-8B30-1BB65BAD3EE6}" = HP Install Network Printer Wizard
"Altiris Deployment Web Console" = Altiris Deployment Web Console
"Altiris eXpress Deployment Console" = Altiris eXpress Deployment Console
"Altiris eXpress Deployment DataStore" = Altiris eXpress Deployment DataStore
"Altiris eXpress Deployment Server" = Altiris eXpress Deployment Server
"Altiris PXE Manager" = Altiris PXE Manager
"Altiris PXE Server" = Altiris PXE Server
"DVDInfoPro" = DVDInfoPro
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Student_Management_System_(SMS)_3.0" = FC Attendance && Welfare 3.5.109
"WebHelpDesk" = Web Help Desk

========== Last 10 Event Log Errors ==========

[ AltirisDataManager Events ]
Error - 1/11/2010 9:24:33 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 10061: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was not
found or was not accessible. Verify that the instance name is correct and that
SQL Server is configured to allow remote connections. (provider: TCP Provider, error:
0 - No connection could be made because the target machine actively refused it.)

Error - 1/11/2010 9:24:49 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 10061: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was not
found or was not accessible. Verify that the instance name is correct and that
SQL Server is configured to allow remote connections. (provider: TCP Provider, error:
0 - No connection could be made because the target machine actively refused it.)

Error - 1/11/2010 9:24:49 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 10061: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was not
found or was not accessible. Verify that the instance name is correct and that
SQL Server is configured to allow remote connections. (provider: TCP Provider, error:
0 - No connection could be made because the target machine actively refused it.)

Error - 1/11/2010 9:29:40 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 10061: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was not
found or was not accessible. Verify that the instance name is correct and that
SQL Server is configured to allow remote connections. (provider: TCP Provider, error:
0 - No connection could be made because the target machine actively refused it.)

Error - 1/11/2010 9:29:40 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 10061: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was not
found or was not accessible. Verify that the instance name is correct and that
SQL Server is configured to allow remote connections. (provider: TCP Provider, error:
0 - No connection could be made because the target machine actively refused it.)

Error - 1/11/2010 9:29:40 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 10061: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was not
found or was not accessible. Verify that the instance name is correct and that
SQL Server is configured to allow remote connections. (provider: TCP Provider, error:
0 - No connection could be made because the target machine actively refused it.)

Error - 1/11/2010 9:29:40 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 10061: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was not
found or was not accessible. Verify that the instance name is correct and that
SQL Server is configured to allow remote connections. (provider: TCP Provider, error:
0 - No connection could be made because the target machine actively refused it.)

Error - 3/2/2010 1:26:50 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 2: A network-related or instance-specific error
occurred while establishing a connection to SQL Server. The server was not found
or was not accessible. Verify that the instance name is correct and that SQL Server
is configured to allow remote connections. (provider: Named Pipes Provider, error:
40 - Could not open a connection to SQL Server)

Error - 3/2/2010 1:26:51 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 2: A network-related or instance-specific error
occurred while establishing a connection to SQL Server. The server was not found
or was not accessible. Verify that the instance name is correct and that SQL Server
is configured to allow remote connections. (provider: Named Pipes Provider, error:
40 - Could not open a connection to SQL Server)

Error - 3/2/2010 1:26:51 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = AltirisDataManager | ID = 0
Description = eXpressDatabase Error 2: A network-related or instance-specific error
occurred while establishing a connection to SQL Server. The server was not found
or was not accessible. Verify that the instance name is correct and that SQL Server
is configured to allow remote connections. (provider: Named Pipes Provider, error:
40 - Could not open a connection to SQL Server)

[ Application Events ]
Error - 3/26/2010 3:01:08 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = VSS | ID = 8193
Description =

Error - 3/26/2010 3:01:08 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = VSS | ID = 12291
Description =

Error - 3/28/2010 6:01:34 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = VSS | ID = 8193
Description =

Error - 3/28/2010 6:01:34 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = VSS | ID = 12291
Description =

Error - 3/28/2010 6:20:23 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Desktop" to "\\curriculum01\studentprofiles\Desktop".

Redirection options=1211. The following error occurred: "Can not create folder
"\\curriculum01\studentprofiles\Desktop"". Error details: "This security ID may
not be assigned as the owner of this object. ".

Error - 3/28/2010 6:20:23 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Favorites" to "\\curriculum01\studenthome\acortesano\Favorites".

Redirection options=1211. The following error occurred: "Can not create folder
"\\curriculum01\studenthome\acortesano\Favorites"". Error details: "Access is denied.
".

Error - 3/28/2010 8:32:59 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Desktop" to "\\curriculum01\studentprofiles\Desktop".

Redirection options=1211. The following error occurred: "Can not create folder
"\\curriculum01\studentprofiles\Desktop"". Error details: "This security ID may
not be assigned as the owner of this object. ".

Error - 3/28/2010 8:32:59 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Favorites" to "\\curriculum01\studenthome\acobeta\Favorites".

Redirection options=1211. The following error occurred: "Can not create folder
"\\curriculum01\studenthome\acobeta\Favorites"". Error details: "Access is denied.
".

Error - 3/28/2010 9:02:55 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = VSS | ID = 8193
Description =

Error - 3/28/2010 9:02:55 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = VSS | ID = 12291
Description =

[ DFS Replication Events ]
Error - 6/3/2009 2:34:12 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DFSR | ID = 6012
Description = The DFS Replication service detected an incompatible Active Directory
Domain Services schema version while trying to read configuration objects from server
????????????u??0????????????u?. The service disconnected from this server and will
try again in the next polling cycle. Additional Information: Expected Version: ??0????????????u?

Incompatible
Server Version: ???????????????0 Domain Controller: ????????????u? Polling Cycle:
? minutes

Error - 6/3/2009 2:34:12 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DFSR | ID = 1202
Description = The DFS Replication service failed to contact domain controller ?0???????????.
to access configuration information. Replication is stopped. The service will try
again during the next configuration polling cycle, which will occur in ???8???4?4???
minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory
Domain
Services, or DNS issues. Additional Information: Error: ???????????. (???4?4???)

Error - 6/3/2009 2:39:05 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DFSR | ID = 6012
Description = The DFS Replication service detected an incompatible Active Directory
Domain Services schema version while trying to read configuration objects from server
????????????u??0????????????u?. The service disconnected from this server and will
try again in the next polling cycle. Additional Information: Expected Version: ??0????????????u?

Incompatible
Server Version: ???????????????0 Domain Controller: ????????????u? Polling Cycle:
? minutes

Error - 6/3/2009 2:39:05 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DFSR | ID = 1202
Description = The DFS Replication service failed to contact domain controller ?0???????????.
to access configuration information. Replication is stopped. The service will try
again during the next configuration polling cycle, which will occur in ???8???4?4???
minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory
Domain
Services, or DNS issues. Additional Information: Error: ???????????. (???4?4???)

Error - 6/3/2009 2:44:05 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DFSR | ID = 6012
Description = The DFS Replication service detected an incompatible Active Directory
Domain Services schema version while trying to read configuration objects from server
????????????u??0????????????u?. The service disconnected from this server and will
try again in the next polling cycle. Additional Information: Expected Version: ??0????????????u?

Incompatible
Server Version: ???????????????0 Domain Controller: ????????????u? Polling Cycle:
? minutes

Error - 6/3/2009 2:59:07 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DFSR | ID = 6012
Description = The DFS Replication service detected an incompatible Active Directory
Domain Services schema version while trying to read configuration objects from server
????????????u??0????????????u?. The service disconnected from this server and will
try again in the next polling cycle. Additional Information: Expected Version: ??0????????????u?

Incompatible
Server Version: ???????????????0 Domain Controller: ????????????u? Polling Cycle:
? minutes

Error - 7/21/2009 1:20:15 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DFSR | ID = 1202
Description = The DFS Replication service failed to contact domain controller ?0?0??????????????4????
to access configuration information. Replication is stopped. The service will try
again during the next configuration polling cycle, which will occur in ??????????????????????.?
minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory
Domain
Services, or DNS issues. Additional Information: Error: ?0??????????????4???? (??????????????4????)

[ Directory Service Events ]
Error - 8/29/2009 2:37:20 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 2087
Description =

Error - 8/30/2009 2:47:04 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 2087
Description =

Error - 8/30/2009 9:45:44 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 1863
Description = This is the replication status for the following directory partition
on this directory server. Directory partition: DC=mcp,DC=nsw,DC=edu,DC=au This directory
server has not received replication information from a number of directory servers
within the configured latency interval. Latency Interval (Hours): 24 Number of directory
servers in all sites: 1 Number of directory servers in this site: 1 The latency interval
can be modified with the following registry key. Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the directory servers by name, use the
dcdiag.exe tool. You can also use the support tool repadmin.exe to display the replication
latencies of the directory servers. The command is "repadmin /showvector /latency
<partition-dn>".

Error - 8/30/2009 9:45:44 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 1863
Description = This is the replication status for the following directory partition
on this directory server. Directory partition: CN=Configuration,DC=mcp,DC=nsw,DC=edu,DC=au



This
directory server has not received replication information from a number of directory
servers within the configured latency interval. Latency Interval (Hours): 24 Number
of directory servers in all sites: 1 Number of directory servers in this site: 1 The
latency interval can be modified with the following registry key. Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error
interval (hours) To identify the directory servers by name, use the dcdiag.exe tool.

You
can also use the support tool repadmin.exe to display the replication latencies
of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".

Error - 8/30/2009 9:45:44 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 1863
Description = This is the replication status for the following directory partition
on this directory server. Directory partition: CN=Schema,CN=Configuration,DC=mcp,DC=nsw,DC=edu,DC=au



This
directory server has not received replication information from a number of directory
servers within the configured latency interval. Latency Interval (Hours): 24 Number
of directory servers in all sites: 1 Number of directory servers in this site: 1 The
latency interval can be modified with the following registry key. Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error
interval (hours) To identify the directory servers by name, use the dcdiag.exe tool.

You
can also use the support tool repadmin.exe to display the replication latencies
of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".

Error - 8/30/2009 9:45:44 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 1863
Description = This is the replication status for the following directory partition
on this directory server. Directory partition: DC=DomainDnsZones,DC=mcp,DC=nsw,DC=edu,DC=au



This
directory server has not received replication information from a number of directory
servers within the configured latency interval. Latency Interval (Hours): 24 Number
of directory servers in all sites: 1 Number of directory servers in this site: 1 The
latency interval can be modified with the following registry key. Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error
interval (hours) To identify the directory servers by name, use the dcdiag.exe tool.

You
can also use the support tool repadmin.exe to display the replication latencies
of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".

Error - 8/30/2009 9:45:44 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 1863
Description = This is the replication status for the following directory partition
on this directory server. Directory partition: DC=ForestDnsZones,DC=mcp,DC=nsw,DC=edu,DC=au



This
directory server has not received replication information from a number of directory
servers within the configured latency interval. Latency Interval (Hours): 24 Number
of directory servers in all sites: 1 Number of directory servers in this site: 1 The
latency interval can be modified with the following registry key. Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error
interval (hours) To identify the directory servers by name, use the dcdiag.exe tool.

You
can also use the support tool repadmin.exe to display the replication latencies
of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".

Error - 8/30/2009 2:47:02 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 2087
Description =

Error - 9/18/2009 1:59:46 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 2087
Description =

Error - 11/17/2009 7:25:53 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = NTDS Replication | ID = 2087
Description =

[ DNS Server Events ]
Error - 8/30/2009 8:15:33 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 8/30/2009 8:25:02 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 8/30/2009 8:25:11 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 10/29/2009 7:19:35 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 10/29/2009 7:19:56 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 10/29/2009 7:42:48 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 10/29/2009 7:46:44 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 12/1/2009 6:05:15 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

Error - 12/1/2009 6:05:41 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code.
If this DNS server does not have any DS-integrated peers, then this error should
be ignored. If this DNS server's Active Directory replication partners do not
have the correct IP address(es) for this server, they will be unable to replicate
with it. To ensure proper replication: 1) Find this server's Active Directory
replication partners that run the DNS server. 2) Open DnsManager and connect in
turn to each of the replication partners. 3) On each server, check the host (A record)
registration for THIS server. 4) Delete any A records that do NOT correspond to
IP addresses of this server. 5) If there are no A records for this server, add
at least one A record corresponding to an address on this server, that the replication
partner can contact. (In other words, if there multiple IP addresses for this
DNS server, add at least one that is on the same network as the Active Directory
DNS server you are updating.) 6) Note, that is not necessary to update EVERY replication
partner. It is only necessary that the records are fixed up on enough replication
partners so that every server that replicates with this server will receive (through
replication) the new data.

[ OSession Events ]
Error - 10/18/2009 9:17:24 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 431
seconds with 420 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/24/2010 12:26:17 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7034
Description =

Error - 3/24/2010 12:34:00 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7034
Description =

Error - 3/24/2010 12:34:02 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7034
Description =

Error - 3/24/2010 12:34:25 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7034
Description =

Error - 3/24/2010 12:34:27 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7034
Description =

Error - 3/24/2010 10:37:34 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7009
Description =

Error - 3/24/2010 10:37:34 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7000
Description =

Error - 3/24/2010 10:37:51 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Print | ID = 64
Description = The attempt to install printer Fax into an offline operating system
image failed with Win32 error code 1796 (0x704). This can occur if the printer
driver requires user input or displays a user interface (UI) during installation.

Error - 3/24/2010 10:56:13 PM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7034
Description =

Error - 3/25/2010 5:58:09 AM | Computer Name = Curriculum01.mcp.nsw.edu.au | Source = Service Control Manager | ID = 7034
Description =


< End of report >

GMER

When I run GMER it says the system cannot find the path specified (C:\Users\Administrator.MCP\WINDOWS\system32\config\system:)

Edited by elise025, 29 March 2010 - 05:52 AM.
Removed code tags to make reading easier ~ Elise


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 29 March 2010 - 03:49 AM

Hello, I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Linkusmax

Linkusmax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 29 March 2010 - 05:46 AM

[quote name='elise025' date='Mar 29 2010, 07:49 PM' post='1691978']
Hello, I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.[/quote

Actually that's me, because I work at a small school and so their budget for an IT Sys Admin means they could only afford someone very junior in the field who could learn on the job (basically I had been managing a internal help desk when I took this job so while I know Active Directory well enough to have rebuilt the entire structure most other things have been learn as it comes up.), most malware isn't an issue for me as we are constantly exposed to the more minor stuff (most of which is sorted by disabling autorun). Unfortunately circumstances mean a couple other people have access to this server and I doubt they are quite as stringent about security as I would like. Either that or it could have leaped over the network to the server

Basically if I have to I will go back far enough in our backups to restore the server without the virus but I would like that to be the last resort (we back up monthly then every 3 hours differential during the work week).

In this case we do not store confidential information on this server Most is either off site or in a secured SQL server no one but me has access to normally.

Edited by Linkusmax, 29 March 2010 - 05:51 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 29 March 2010 - 05:50 AM

Okay, well lets see where we can get started. Please post me the log of MBAM so I can see what was detected/deleted.

You can find all logs on the Log tab in MBAM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Linkusmax

Linkusmax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 29 March 2010 - 05:57 AM

Here we are, thanks for your help by the way.

CODE
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18702

3/23/2010 11:56:52 AM
mbam-log-2010-03-23 (11-56-39).txt

Scan type: Quick Scan
Objects scanned: 2138376
Time elapsed: 52 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Linkusmax, 29 March 2010 - 05:57 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 29 March 2010 - 06:00 AM

Hello again,

Unfortunately this looks like signs of a possible file infector.

To confirm this, try the following: As a side note, there's a reasonable chance this infection will block that particular scan.

KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Linkusmax

Linkusmax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 29 March 2010 - 06:06 AM

Accept is greyed out, I take it this is the blocking you mentioned?

Actually it also popped up saying I needed to update Java to java framework 1.6

Edited by Linkusmax, 29 March 2010 - 06:08 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 29 March 2010 - 06:12 AM

Okay, lets try this with another scanner.

DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click No to All.
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Linkusmax

Linkusmax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 29 March 2010 - 06:29 AM

Im currently connected to it via VPN so can't do it via safe mode, I will run this in the morning if that is required.

Kapersky appears like it may work now, waiting for it to finish updating the database

Edited by Linkusmax, 29 March 2010 - 06:35 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 29 March 2010 - 06:49 AM

Oh, okay, in that case proceed with kaspersky.

In case it won't work, you can run Dr. Web also in normal mode. Just take a note it may take a LONG time to scan.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Linkusmax

Linkusmax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 30 March 2010 - 06:33 PM

Kaspersky Scan results, As you can see it is a constant battle to keep the virus situation under wraps for me. Someone has already managed to reinfect the network share with sality. I'll run another McAffe scan on top of this.

CODE
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, March 31, 2010
Operating system: Microsoft Windows Server 2008 Standard Edition, 64-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, March 30, 2010 03:34:27
Records in database: 3898752
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - My Computer:
    C:\
    D:\
    E:\
    T:

Scan statistics:
    Objects scanned: 866392
    Threats found: 14
    Infected objects found: 41
    Suspicious objects found: 0
    Scan duration: 15:23:18


File name / Threat / Threats count
C:\$Recycle.Bin\S-1-5-21-527237240-1682526488-1957994488-4778\$R1F8M84.exe    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.n    3
C:\Users\Administrator.MCP\Desktop\SysAidServerFree.exe    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.n    3
D:\ICT\ICT Staff SHare\ADModify_2.1\ADModcmd.exe    Infected: Virus.Win32.Sality.aa    1
D:\ICT\ICT Staff SHare\TCPNV.EXE    Infected: Virus.Win32.Sality.aa    1
D:\ICT\ICT Staff SHare\TerminalServices\Shells\RunIt32.exe    Infected: not-a-virus:Monitor.Win32.ProcessLogger.f    1
D:\ICT\ICT Staff SHare\TerminalServices\Shells\RunIt32.exe    Infected: not-a-virus:Monitor.Win32.ProcessLogger.b    1
D:\Staff\HomeDrives\ihy\My Documents\staff package\cute writer(recommended by gro)\CuteComp.exe    Infected: not-a-virus:WebToolbar.Win32.WhenU.a    1
D:\Staff\HomeDrives\mpa\2007\BACK UP\ADMINISTRATIVE\TEMPORARY 2006\MISCELLANEOUS\maps.exe    Infected: not-a-virus:AdWare.Win32.Comet.ay    1
D:\Staff\HomeDrives\mpa\ADMINISTRATIVE\TEMPORARY 2006\MISCELLANEOUS\maps.exe    Infected: not-a-virus:AdWare.Win32.Comet.ay    1
D:\Staff\HomeDrives\pca\autorun.inf    Infected: Trojan.Win32.AutoRun.sc    1
D:\Staff\HomeDrives\pca\RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\server.exe    Infected: Backdoor.Win32.Bredolab.clr    1
D:\Staff\HomeDrives\pke\My Documents\staff package\cute writer(recommended by gro)\CuteComp.exe    Infected: not-a-virus:WebToolbar.Win32.WhenU.a    1
D:\Staff\Office\autorun.inf    Infected: Trojan.Win32.AutoRun.sc    1
D:\Staff\Office\RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\server.exe    Infected: Backdoor.Win32.Bredolab.clr    1
D:\Staff\SMReport\autorun.inf    Infected: Trojan.Win32.AutoRun.sc    1
D:\Staff\SMReport\RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\server.exe    Infected: Backdoor.Win32.Bredolab.clr    1
D:\Staff\Staff Share\autorun.inf    Infected: Trojan.Win32.AutoRun.sc    1
D:\Staff\Staff Share\Pluto\Photos_Videos\GRO\downloaded utilities\cute writer\CuteComp.exe    Infected: not-a-virus:WebToolbar.Win32.WhenU.a    1
D:\Staff\Staff Share\Pluto\Photos_Videos\GRO\downloaded utilities\server admin\SysAdmin2Setup\SysAdmin2Setup.msi    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.ba    2
D:\Staff\Staff Share\Pluto\Photos_Videos\GRO\downloaded utilities\server admin\SysAdmin2Setup\SysAdmin2Setup.msi    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370    1
D:\Staff\Staff Share\Pluto\Photos_Videos\GRO\downloaded utilities\server admin\SysAdmin2Setup.zip    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.ba    2
D:\Staff\Staff Share\Pluto\Photos_Videos\GRO\downloaded utilities\server admin\SysAdmin2Setup.zip    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370    1
D:\Staff\Staff Share\Pluto\Photos_Videos\GRO\staff package\cute writer(recommended by gro)\CuteComp.exe    Infected: not-a-virus:WebToolbar.Win32.WhenU.a    1
D:\Staff\Staff Share\Pluto\Photos_Videos\staff package\cute writer(recommended by gro)\CuteComp.exe    Infected: not-a-virus:WebToolbar.Win32.WhenU.a    1
D:\Staff\Staff Share\RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\server.exe    Infected: Backdoor.Win32.Bredolab.clr    1
D:\Staff\Staff Share\staff package\cute writer(recommended by gro)\CuteComp.exe    Infected: not-a-virus:WebToolbar.Win32.WhenU.a    1
D:\Students\Home Directories\cbajamundi\My Documents\RECYCLER\S-1-5-21-527237240-1682526488-1957994488-1654\D@14.bat    Infected: Trojan.Win32.KillWin.dr    1
D:\Students\Home Directories\cbajamundi\My Documents\RECYCLER\S-1-5-21-527237240-1682526488-1957994488-1654\D@5.txt    Infected: Trojan.Win32.KillWin.dr    1
D:\Students\Home Directories\dmunoz\daniel\messedup.zip    Infected: Hoax.Win32.BadJoke.MovingMouse.bz    1
D:\Students\Home Directories\mbalzan\My Documents\RECYCLER\S-1-5-21-527237240-1682526488-1957994488-4649\D@41.wma    Infected: Trojan-Downloader.WMA.Wimad.y    1
D:\Students\Home Directories\mwoolaston\My Documents\RECYCLER\S-1-5-21-527237240-1682526488-1957994488-1674\D@1.zip    Infected: Trojan.Win32.Agent.ms    1
D:\Students\Student Share\autorun.inf    Infected: Trojan.Win32.AutoRun.sc    1
D:\Students\Student Share\RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\server.exe    Infected: Backdoor.Win32.Bredolab.clr    1
T:\86a809f535c3804980ad0e159672a7\setup\program files\microsoft sql server\90\shared\sqlwtsn.exe    Infected: Virus.Win32.Sality.aa    1
T:\dluodw.pif    Infected: Virus.Win32.Sality.aa    1

Selected area has been scanned.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 31 March 2010 - 12:24 AM

Yes, Sality was exactly what I was afraid of. Unfortunately this leaves you with very little options.

Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

QUOTE
As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.
About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:33 PM

Posted 08 April 2010 - 12:56 PM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users