Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 2000 server


  • This topic is locked This topic is locked
21 replies to this topic

#1 ssix

ssix

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 23 April 2010 - 02:27 PM

Hi wondering if you could review my hijackthis log file. this old server is being used for hosting our website and accounting system. Website were Hijaked and now each day need to restart the server to get them going again. not sure what kind of malware been left behind. Are moving the website hosting off and want to see how bad thing might be.
Thanks in advance

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:10:45 PM, on 23/04/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\llssrv.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
c:\program files\notify\telus\fulfillment\telusfulfillment.exe
D:\Tomcat 6.0\bin\tomcat6.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINNT\system32\WDBtnMgr.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Tomcat 6.0\bin\tomcat6w.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\mmc.exe
D:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
c:\winnt\microsoft.net\framework\v2.0.50727\aspnet_wp.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=slant6isa:8080;gopher=slant6isa:8080;http=slant6isa:8080;https=slant6isa:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinVNC] "d:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "D:\Tomcat 6.0\bin\tomcat6w.exe" //MS//Tomcat6
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\S-1-5-21-1547161642-515967899-839522115-1004\..\Run: [internat.exe] internat.exe (User 'ASPNET')
O4 - HKUS\S-1-5-21-1547161642-515967899-839522115-1004\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1264550574093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1264550559874
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = slant-six.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{13B8B7EB-FD9B-4B7D-8006-8055A6C81EAD}: Domain = slant-six.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{13B8B7EB-FD9B-4B7D-8006-8055A6C81EAD}: NameServer = 192.168.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = slant-six.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{13B8B7EB-FD9B-4B7D-8006-8055A6C81EAD}: Domain = slant-six.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{13B8B7EB-FD9B-4B7D-8006-8055A6C81EAD}: NameServer = 192.168.1.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = slant-six.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{13B8B7EB-FD9B-4B7D-8006-8055A6C81EAD}: Domain = slant-six.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{13B8B7EB-FD9B-4B7D-8006-8055A6C81EAD}: NameServer = 192.168.1.10
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Windows Media Management Service (msmanage) - Unknown owner - c:\winnt\system32\mstasks.exe (file missing)
O23 - Service: TELUSFulfillment - - c:\program files\notify\telus\fulfillment\telusfulfillment.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Apache Software Foundation - D:\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - d:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 8597 bytes

Attached Files


Edited by Budapest, 23 April 2010 - 04:50 PM.
Moved from Windows NT/2000/2003/2008 ~BP


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 28 April 2010 - 08:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 ssix

ssix
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 30 April 2010 - 03:50 PM

Hi thanks for your reply.

Update since my last post:

We closed off the open ports and reconfigured the file wall.
It appears that we were hacked thru port 80 and then access was gained to our SQL Server (2000) thru the sa logon then accessed workstation.
Ran Superantispyware in safe mode on all machines then Eset online scan. between the 2 programs cleaned 7 different trojans off the various machines.
current behavior issues are:
Domain Controller
- time advances on reboot or radomly (and propigated thru to the workstaions)
- Disabled services wil revert to automatic and start on reboot.
- a port # change for remote desktop reverts back to original.

I followed your instuctions:
- DDS.txt, ok
- Attach.zip, ok
- Defogger, don't think completed, attached defogger_disable log
- Gmer, closed at the same point in both normal and safe mode. added the gmer log from initial opening of program. as well I have a log i saved a few lines before the program closed - its big and can post if you want


Thanks

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 10:10:32.03 on Fri 30/04/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.991.370 [GMT -7:00]


============== Running Processes ===============

C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\sistray.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINNT\system32\mmc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\sistray.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 192.168.1.10:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiS Tray] c:\winnt\system32\sistray.EXE
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [WD Button Manager] WDBtnMgr.exe
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38490.8136689815
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {CA59C870-187B-44D3-BB94-4AD18BCACDB1} = 192.168.1.10
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli
Hosts: 192.168.1.11 www.flosport.com
Hosts: 192.168.1.11 www.suncruz.com

============= SERVICES / DRIVERS ===============

R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [1999-12-7 74448]
R0 VSP;Volume Snapshot Provider;c:\winnt\system32\drivers\VSP.SYS [2004-6-22 50680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AppleTalk;AppleTalk Protocol;c:\winnt\system32\drivers\sfmatalk.sys [1999-12-7 148400]
R2 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [1999-12-7 25360]
R2 DNS;DNS Server;c:\winnt\system32\DNS.EXE [2005-5-17 335120]
R2 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2005-5-18 25872]
R2 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [1999-12-7 33552]
R2 MacPrint;Print Server for Macintosh;c:\winnt\system32\sfmprint.exe [1999-12-7 85264]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-5-18 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
R2 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2005-5-18 745232]
R2 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [1999-12-7 92944]
R2 WINS;Windows Internet Name Service (WINS);c:\winnt\system32\WINS.EXE [2009-8-12 153360]
R3 NaiAvFilter1;NaiAvFilter1;c:\winnt\system32\drivers\naiavf5x.sys [2005-5-18 83008]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2005-5-18 49776]
S2 MacFile;File Server for Macintosh;c:\winnt\system32\SFMSVC.EXE [2005-5-18 68368]
S3 MACSRV;SFM Kernel Driver;c:\winnt\system32\drivers\sfmsrv.sys [1999-12-7 154160]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2005-5-17 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2005-5-17 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2005-5-17 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2005-5-17 18264]
S4 SocketRedirector;SocketRedirector;c:\program files\socketredirector\SocketRedirectorService.exe [2008-3-18 28672]

=============== Created Last 30 ================

2010-04-30 17:10:32 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_630.dat
2010-04-30 17:09:23 0 d--h--w- c:\winnt\PIF
2010-04-28 06:06:29 0 d-----w- c:\program files\ESET
2010-04-28 01:38:04 16384 -----tw- c:\winnt\system32\Perflib_Perfdata_754.dat
2010-04-27 18:35:11 186 ---h--w- C:\boot.ini.SAB
2010-04-27 16:42:54 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-27 16:42:48 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-27 16:42:48 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-04-27 16:42:35 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-14 03:23:02 1715264 -c----w- c:\winnt\system32\dllcache\SET250.tmp
2010-04-14 03:23:01 1736576 -c----w- c:\winnt\system32\dllcache\SET252.tmp

==================== Find3M ====================

2010-03-12 21:44:24 401408 ------w- c:\winnt\system32\vbscript.dll
2010-03-05 17:49:42 1018368 ------w- c:\winnt\system32\SET86.tmp
2010-03-05 17:49:42 1018368 ------w- c:\winnt\system32\SET22.tmp
2010-03-05 17:49:42 1018368 ------w- c:\winnt\system32\SET20.tmp
2010-03-05 17:49:42 1018368 ------w- c:\winnt\system32\SET18.tmp
2010-03-05 17:49:32 1352192 ------w- c:\winnt\system32\SET92.tmp
2010-03-05 17:49:32 1352192 ------w- c:\winnt\system32\SET27.tmp
2010-03-05 17:49:32 1352192 ------w- c:\winnt\system32\SET23.tmp
2010-03-05 17:49:32 1352192 ------w- c:\winnt\system32\SET19.tmp
2010-02-25 18:32:02 576512 ------w- c:\winnt\system32\SET96.tmp
2010-02-25 18:32:02 576512 ------w- c:\winnt\system32\SET2A.tmp
2010-02-25 18:32:02 576512 ------w- c:\winnt\system32\SET26.tmp
2010-02-25 18:32:02 576512 ------w- c:\winnt\system32\SET1C.tmp
2010-02-25 18:31:56 471040 ------w- c:\winnt\system32\SET95.tmp
2010-02-25 18:31:56 471040 ------w- c:\winnt\system32\SET29.tmp
2010-02-25 18:31:56 471040 ------w- c:\winnt\system32\SET25.tmp
2010-02-25 18:31:56 471040 ------w- c:\winnt\system32\SET1B.tmp
2010-02-25 18:31:22 2710528 ------w- c:\winnt\system32\SET8E.tmp
2010-02-25 18:26:04 143360 ------w- c:\winnt\system32\SET87.tmp
2010-02-25 18:25:42 402944 ------w- c:\winnt\system32\SET93.tmp
2010-02-25 18:25:42 402944 ------w- c:\winnt\system32\SET28.tmp
2010-02-25 18:25:42 402944 ------w- c:\winnt\system32\SET24.tmp
2010-02-25 18:25:42 402944 ------w- c:\winnt\system32\SET1A.tmp
2010-02-16 04:16:05 1714368 ------w- c:\winnt\system32\NTKRNLPA.EXE
2010-02-16 04:15:25 1691648 ------w- c:\winnt\system32\NTOSKRNL.EXE
2010-02-16 01:22:24 167696 ------w- c:\winnt\system32\SETC4.tmp
2010-02-16 01:22:24 167696 ------w- c:\winnt\system32\SET37.tmp
2010-02-16 01:22:24 167696 ------w- c:\winnt\system32\SET33.tmp
2010-02-16 01:22:24 167696 ------w- c:\winnt\system32\SET2B.tmp
2005-05-18 01:50:38 271 ---h--w- c:\program files\desktop.ini
2005-05-18 01:50:38 21952 ---h--w- c:\program files\folder.htt
1999-12-07 12:00:00 32528 ------w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 10:10:59.53 ===============



defogger_disable by jpshortstuff (23.02.10.1)
Log created at 10:18 on 30/04/2010 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-30 17:24:20
Windows 5.0.2195 Service Pack 4
Running: bldvr13z.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ffroypow.sys


---- System - GMER 1.0.15 ----

SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x8051263E]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x80512894]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwQueryDirectoryFile [0x804A809C]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySystemInformation [0x8049147E]

Code \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwCreatePagingFile [0x804CD18F]
Code \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwQueryEvent [0x8048FCA9]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Dfs.sys (Windows NT Distributed File System Driver/Microsoft Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat Dfs.sys (Windows NT Distributed File System Driver/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (*** hidden *** ) [DISABLED] clr_optimization_v2.0.50727_32 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----







Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 30 April 2010 - 05:46 PM

Gmer is saying "rootkit" so we will let Combofix take a look.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 ssix

ssix
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 30 April 2010 - 11:14 PM

Hi m0le,
don't know what else might be comprimised...
can't down load combofix from your links - page cannot be displayed
when I right click to save target as - connection with server was reset
then I used firefox on different workstaion on network - file saved disappears
finally teathered my blackberry and downloaded the file and saved to the server renamed
on running comfix.exe get error message that OS not supported (server on windows 2000 server platform)
Help!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 01 May 2010 - 02:55 AM

Combofix is supported for W2K so that seems to have been stopped by the malware.

Please run OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 ssix

ssix
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 01 May 2010 - 08:52 AM

Hi m0le,
disconnected the compter from the internet for the weekend as I out of town for Sat & Sun. will run OTL on Monday and send you the results. BTW, I really appriciated what you guys do here!

ekaz

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 01 May 2010 - 11:37 AM

No problem, enjoy your weekend thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 ssix

ssix
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 03 May 2010 - 12:10 PM

Ok results of otl

OTL Extras logfile created on: 03/05/2010 10:00:20 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = D:\PUBLIC\Software
Windows 2000 Standard Edition Service Pack 4 (Version = 5.0.2195) - Type = NTDomainController
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

991.00 Mb Total Physical Memory | 501.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 4.51 Gb Free Space | 45.10% Space Free | Partition Type: NTFS
Drive D: | 64.53 Gb Total Space | 43.83 Gb Free Space | 67.93% Space Free | Partition Type: NTFS
Drive E: | 404.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 64.53 Gb Total Space | 43.83 Gb Free Space | 67.93% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: SLANT6DC
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0090002E-699B-4366-8457-4566D8629A04}" = VERITAS Backup Exec Remote Agent for Windows Servers
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{242365CD-80F2-11D2-989A-00C04F7978A9}" = Windows 2000 Support Tools
"{3E713D52-C967-41FB-AA24-3A92CC1025A4}" = Remote Desktop Connection
"{59224777-298D-4E9C-9AEB-4A91BDA01B27}" = McAfee VirusScan Enterprise
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{A351224F-533A-4EED-89F4-0BF3417FD31D}" = WD Backup
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7298620-EAC6-11D1-8F87-0060082EA63E}" = Windows 2000 Administration Tools
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}" = WD Firewire HID Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CCleaner" = CCleaner (remove only)
"ESET Online Scanner" = ESET Online Scanner v3
"Intel InBusiness Print Station" = Intel InBusiness Print Station
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Recuva" = Recuva (remove only)
"ShockwaveFlash" = Macromedia Flash Player 8
"SiS 651" = SiS 651
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"WinVNC_is1" = VNC 3.3.7
"WinZip" = WinZip

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 02/05/2010 6:06:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot query for the list of Group Policy objects . A message
that describes the reason for this was previously logged by this policy engine.

Error - 02/05/2010 6:11:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot access the file gpt.ini for GPO The file must be present
at the location <>. (). Group Policy processing aborted.

Error - 02/05/2010 6:11:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot query for the list of Group Policy objects . A message
that describes the reason for this was previously logged by this policy engine.

Error - 02/05/2010 6:16:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot access the file gpt.ini for GPO The file must be present
at the location <>. (). Group Policy processing aborted.

Error - 02/05/2010 6:16:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot query for the list of Group Policy objects . A message
that describes the reason for this was previously logged by this policy engine.

Error - 02/05/2010 6:21:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot access the file gpt.ini for GPO The file must be present
at the location <>. (). Group Policy processing aborted.

Error - 02/05/2010 6:21:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot query for the list of Group Policy objects . A message
that describes the reason for this was previously logged by this policy engine.

Error - 02/05/2010 6:26:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot access the file gpt.ini for GPO The file must be present
at the location <>. (). Group Policy processing aborted.

Error - 02/05/2010 6:26:30 AM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot query for the list of Group Policy objects . A message
that describes the reason for this was previously logged by this policy engine.

Error - 02/05/2010 3:31:34 PM | Computer Name = SLANT6DC | Source = Userenv | ID = 1000
Description = Windows cannot access the file gpt.ini for GPO The file must be present
at the location <>. (). Group Policy processing aborted.

[ Directory Service Events ]
Error - 30/04/2010 5:18:14 PM | Computer Name = SLANT6DC | Source = NTDS General | ID = 1126
Description = Unable to establish connection with global catalog.

[ DNS Server Events ]
Error - 25/02/2009 3:50:51 PM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 26/02/2009 7:32:47 PM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 26/02/2009 7:36:40 PM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 22/03/2009 5:30:52 PM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 23/03/2009 12:28:54 AM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 31/05/2009 6:42:42 PM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 16/03/2010 1:24:11 PM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 23/04/2010 2:06:19 PM | Computer Name = SLANT6DC | Source = DNS | ID = 6702
Description = DNS Server has updated its own host (A) records. In order to insure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's ActiveDirectory replication partners do not have the
correct
IP address(es) for this server, they will be unable to replicate with it. To insure
proper replication: 1) Find this server's ActiveDirectory replication partners that
run the DNS server. 2) Open DnsManager and connect in turn to each of the replication
partners. 3) On each server, check the host (A record) registration for THIS server.

4)
Delete any A records that do NOT correspond to IP addresses of this server. 5) If
there are no A records for this server, add at least one A record corresponding
to an address on this server, that the replication partner can contact. (In other
words, if there multiple IP addresses for this DNS server, add at least one that
is on the same network as the ActiveDirectory DNS server you are updating.) 6) Note,
that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

Error - 27/04/2010 2:36:44 PM | Computer Name = SLANT6DC | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The event data
contains the error.

Error - 27/04/2010 2:36:44 PM | Computer Name = SLANT6DC | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone slant-six.com. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The event data contains the error.

[ System Events ]
Error - 30/04/2010 9:13:42 PM | Computer Name = SLANT6DC | Source = Mouclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\PointerClass0.

Error - 30/04/2010 9:14:07 PM | Computer Name = SLANT6DC | Source = Mouclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\PointerClass0.

Error - 30/04/2010 9:14:07 PM | Computer Name = SLANT6DC | Source = Kbdclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\KeyboardClass1.

Error - 30/04/2010 9:15:39 PM | Computer Name = SLANT6DC | Source = Kbdclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\KeyboardClass1.

Error - 30/04/2010 9:17:12 PM | Computer Name = SLANT6DC | Source = Kbdclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\KeyboardClass1.

Error - 30/04/2010 9:17:12 PM | Computer Name = SLANT6DC | Source = Mouclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\PointerClass0.

Error - 30/04/2010 9:17:35 PM | Computer Name = SLANT6DC | Source = Mouclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\PointerClass0.

Error - 30/04/2010 9:17:36 PM | Computer Name = SLANT6DC | Source = Kbdclass | ID = 327689
Description = Could not enable interrupts on connected port device \Device\KeyboardClass1.

Error - 02/05/2010 6:31:30 AM | Computer Name = SLANT6DC | Source = EventLog | ID = 6000
Description = The Application log file is full.

Error - 02/05/2010 8:09:25 PM | Computer Name = SLANT6DC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >



OTL logfile created on: 03/05/2010 9:59:52 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = D:\PUBLIC\Software
Windows 2000 Standard Edition Service Pack 4 (Version = 5.0.2195) - Type = NTDomainController
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

991.00 Mb Total Physical Memory | 501.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 4.51 Gb Free Space | 45.10% Space Free | Partition Type: NTFS
Drive D: | 64.53 Gb Total Space | 43.83 Gb Free Space | 67.93% Space Free | Partition Type: NTFS
Drive E: | 404.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 64.53 Gb Total Space | 43.83 Gb Free Space | 67.93% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: SLANT6DC
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - D:\PUBLIC\Software\OTL.exe (OldTimer Tools)
PRC - C:\WINNT\system32\WINS.EXE (Microsoft Corporation)
PRC - C:\WINNT\system32\DNS.EXE (Microsoft Corporation)
PRC - C:\WINNT\system32\WDBtnMgr.exe (Western Digital Technologies, Inc.)
PRC - C:\Program Files\My Book\WD Backup\uBBMonitor.exe (ArcSoft, Inc.)
PRC - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe (VERITAS Software Corporation)
PRC - C:\WINNT\system32\LLSSRV.EXE (Microsoft Corporation)
PRC - C:\WINNT\system32\mstask.exe (Microsoft Corporation)
PRC - C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (Network Associates, Inc.)
PRC - C:\Program Files\Network Associates\VirusScan\Mcshield.exe (Network Associates, Inc.)
PRC - C:\Program Files\Network Associates\VirusScan\shstat.exe (Network Associates, Inc.)
PRC - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (Network Associates, Inc.)
PRC - C:\WINNT\system32\SISTRAY.EXE (Silicon Integrated Systems Corporation)
PRC - C:\WINNT\system32\hidserv.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\ntfrs.exe (Microsoft Corporation)
PRC - C:\WINNT\explorer.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\wbem\WinMgmt.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\termsrv.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\SFMSVC.EXE (Microsoft Corporation)
PRC - C:\WINNT\system32\regsvc.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\ismserv.exe (Microsoft Corporation)
PRC - C:\WINNT\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINNT\system32\sfmprint.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\tcpsvcs.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - D:\PUBLIC\Software\OTL.exe (OldTimer Tools)
MOD - C:\WINNT\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINNT\system32\wsock32.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\lz32.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\netrap.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (WINS) Windows Internet Name Service (WINS) -- C:\WINNT\system32\WINS.EXE (Microsoft Corporation)
SRV - (DNS) -- C:\WINNT\system32\DNS.EXE (Microsoft Corporation)
SRV - (SocketRedirector) -- C:\Program Files\SocketRedirector\SocketRedirectorService.exe ()
SRV - (BackupExecAgentAccelerator) -- C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe (VERITAS Software Corporation)
SRV - (LicenseService) -- C:\WINNT\system32\LLSSRV.EXE (Microsoft Corporation)
SRV - (Schedule) -- C:\WINNT\system32\mstask.exe (Microsoft Corporation)
SRV - (McAfeeFramework) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (Network Associates, Inc.)
SRV - (McShield) -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe (Network Associates, Inc.)
SRV - (McTaskManager) -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (Network Associates, Inc.)
SRV - (HidServ) -- C:\WINNT\system32\hidserv.exe (Microsoft Corporation)
SRV - (NtFrs) -- C:\WINNT\system32\ntfrs.exe (Microsoft Corporation)
SRV - (WinMgmt) -- C:\WINNT\system32\wbem\WinMgmt.exe (Microsoft Corporation)
SRV - (dmadmin) -- C:\WINNT\System32\dmadmin.exe (VERITAS Software Corp.)
SRV - (TermService) -- C:\WINNT\system32\termsrv.exe (Microsoft Corporation)
SRV - (Fax) -- C:\WINNT\system32\FAXSVC.EXE (Microsoft Corporation)
SRV - (Dfs) -- C:\WINNT\system32\dfssvc.exe (Microsoft Corporation)
SRV - (RemoteRegistry) -- C:\WINNT\system32\regsvc.exe (Microsoft Corporation)
SRV - (MacFile) -- C:\WINNT\system32\SFMSVC.EXE (Microsoft Corporation)
SRV - (IsmServ) -- C:\WINNT\system32\ismserv.exe (Microsoft Corporation)
SRV - (UtilMan) -- C:\WINNT\system32\utilman.exe (Microsoft Corporation)
SRV - (winvnc) -- c:\Program Files\RealVNC\WinVNC\WinVNC.exe (RealVNC Ltd.)
SRV - (MacPrint) -- C:\WINNT\system32\sfmprint.exe (Microsoft Corporation)
SRV - (DHCPServer) -- C:\WINNT\system32\tcpsvcs.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (VSP) -- C:\WINNT\System32\DRIVERS\vsp.sys (VERITAS Software)
DRV - (SiS315) -- C:\WINNT\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SiSkp) -- C:\WINNT\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (NaiAvFilter1) -- C:\WINNT\system32\drivers\naiavf5x.sys (Network Associates, Inc.)
DRV - (dmboot) -- C:\WINNT\system32\drivers\dmboot.sys (VERITAS Software Corp.)
DRV - (MACSRV) -- C:\WINNT\system32\drivers\sfmsrv.sys (Microsoft Corporation)
DRV - (AppleTalk) -- C:\WINNT\system32\drivers\sfmatalk.sys (Microsoft Corporation)
DRV - (dmio) -- C:\WINNT\System32\drivers\dmio.sys (VERITAS Software Corp.)
DRV - (DfsDriver) -- C:\WINNT\system32\drivers\Dfs.sys (Microsoft Corporation)
DRV - (Parallel) -- C:\WINNT\system32\drivers\parallel.sys (Microsoft Corporation)
DRV - (usbhub20) -- C:\WINNT\system32\drivers\usbhub20.sys (Microsoft Corporation)
DRV - (EFS) -- C:\WINNT\system32\drivers\efs.sys (Microsoft Corporation)
DRV - (openhci) -- C:\WINNT\system32\drivers\openhci.sys (Microsoft Corporation)
DRV - (TDIPX) -- C:\WINNT\system32\drivers\tdipx.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\WINNT\system32\drivers\hidbatt.sys (Microsoft Corporation)
DRV - (TDNETB) -- C:\WINNT\system32\drivers\tdnetb.sys (Microsoft Corporation)
DRV - (TDSPX) -- C:\WINNT\system32\drivers\tdspx.sys (Microsoft Corporation)
DRV - (TDASYNC) -- C:\WINNT\system32\drivers\tdasync.sys (Microsoft Corporation)
DRV - (Diskperf) -- C:\WINNT\system32\drivers\diskperf.sys (Microsoft Corporation)
DRV - (dmload) -- C:\WINNT\System32\drivers\dmload.sys (VERITAS Software Corp.)
DRV - (SISAGP) -- C:\WINNT\System32\DRIVERS\SISAGPx.sys (Silicon Integrated Systems Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINNT\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (SISNIC) -- C:\WINNT\system32\drivers\sisnic.sys (SiS Corporation)
DRV - (pnp680r) -- C:\WINNT\system32\drivers\pnp680r.sys (Silicon Image, Inc)
DRV - (RCA) -- C:\WINNT\system32\drivers\rca.sys (Microsoft Corporation)
DRV - (NetDetect) -- C:\WINNT\system32\drivers\netdtect.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINNT\system32\SHDOCVW.DLL (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.1.10:8080



O1 HOSTS File: ([2005/07/04 13:08:02 | 000,000,801 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 192.168.1.11 www.flosport.com
O1 - Hosts: 192.168.1.11 www.suncruz.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (Network Associates, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (Network Associates, Inc.)
O4 - HKLM..\Run: [SiS Tray] C:\WINNT\system32\SISTRAY.EXE (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINNT\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [WD Button Manager] C:\WINNT\System32\WDBtnMgr.exe (Western Digital Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe (ArcSoft, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINNT\system32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINNT\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINNT\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: bleepingcomputer.com ([download] http in Trusted sites)
O15 - HKCU\..Trusted Domains: bleepingcomputer.com ([www] http in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8490.8136689815 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = slant-six.com
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINNT\system32\INETCOMM.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINNT\system32\userinit.exe) - C:\WINNT\system32\USERINIT.EXE (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINNT\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINNT\System32\SYSDM.CPL (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINNT\System32\CRYPT32.DLL (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINNT\System32\CRYPTNET.DLL (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINNT\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINNT\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O21 - SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - C:\WINNT\system32\netshell.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINNT\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINNT\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINNT\System32\SHELL32.DLL (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINNT\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINNT\System32\SCHANNEL.DLL (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINNT\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINNT\System32\msnsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINNT\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINNT\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINNT\System32\schannel.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/17 18:51:20 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1999/12/07 05:00:00 | 000,000,045 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (DfsInit) - C:\WINNT\System32\DfsInit.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/30 21:21:53 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/04/30 10:31:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\New Folder
[2010/04/30 10:09:23 | 000,000,000 | -H-D | C] -- C:\WINNT\PIF
[2010/04/27 23:06:29 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/27 09:42:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/27 09:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/04/27 09:42:48 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/27 09:42:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/23 09:47:14 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[69 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[26 C:\WINNT\System32\dllcache\*.tmp files -> C:\WINNT\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/03 09:59:59 | 000,819,200 | ---- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/03 09:46:45 | 000,065,536 | ---- | M] () -- C:\WINNT\NETLOGON.CHG
[2010/04/30 21:00:53 | 003,924,810 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\comFix.exe
[2010/04/30 20:55:21 | 000,000,315 | ---- | M] () -- C:\WINNT\hpbafd.ini
[2010/04/30 17:24:35 | 000,000,669 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/30 17:06:20 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/04/30 16:03:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/04/30 10:32:42 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\bldvr13z.exe
[2010/04/30 10:18:07 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/04/30 10:17:16 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/04/30 10:09:27 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.pif
[2010/04/29 12:25:48 | 000,058,368 | ---- | M] () -- C:\WINNT\System32\dsa.msc
[2010/04/29 11:14:23 | 000,001,172 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/04/29 11:10:23 | 000,066,048 | ---- | M] () -- C:\WINNT\System32\dhcpmgmt.msc
[2010/04/27 18:47:30 | 000,000,205 | -H-- | M] () -- C:\boot.ini
[2010/04/27 18:46:31 | 000,399,920 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100427_184540.reg
[2010/04/27 18:44:36 | 000,001,433 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/04/27 18:38:04 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_754.dat
[2010/04/27 17:30:05 | 000,002,225 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Active Directory Users and Computers.lnk
[2010/04/27 16:14:54 | 000,006,377 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SafeBoot.zip
[2010/04/23 17:19:30 | 000,000,512 | ---- | M] () -- C:\WINNT\randseed.rnd
[2010/04/23 11:04:41 | 000,075,968 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2010/04/23 09:59:03 | 000,002,658 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/04/23 09:56:07 | 000,532,876 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2010/04/23 09:56:07 | 000,465,554 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2010/04/23 09:56:07 | 000,078,910 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2010/04/22 10:28:02 | 000,054,784 | ---- | M] () -- C:\WINNT\System32\winsmgmt.msc
[2010/04/22 10:27:15 | 000,001,587 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WINS.lnk
[2010/04/22 10:20:11 | 000,062,976 | ---- | M] () -- C:\WINNT\System32\dnsmgmt.msc
[2010/04/22 10:19:25 | 000,001,563 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DNS.lnk
[69 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[26 C:\WINNT\System32\dllcache\*.tmp files -> C:\WINNT\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/30 21:03:15 | 003,924,810 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\comFix.exe
[2010/04/30 10:32:38 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\bldvr13z.exe
[2010/04/30 10:18:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/04/30 10:17:16 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/04/30 10:09:23 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.pif
[2010/04/27 18:45:45 | 000,399,920 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100427_184540.reg
[2010/04/27 18:38:04 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_754.dat
[2010/04/27 16:14:59 | 000,006,377 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SafeBoot.zip
[2010/04/27 11:35:11 | 000,000,186 | -H-- | C] () -- C:\boot.ini.SAB
[2010/04/27 09:42:51 | 000,000,669 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2005/07/01 16:08:42 | 000,000,315 | ---- | C] () -- C:\WINNT\hpbafd.ini
[2005/06/21 16:40:01 | 000,094,274 | ---- | C] () -- C:\WINNT\System32\HPBHEALR.DLL
[2005/05/18 15:47:13 | 000,017,168 | ---- | C] () -- C:\WINNT\System32\ismsink.dll
[2005/05/18 14:55:32 | 000,155,648 | ---- | C] () -- C:\WINNT\System32\setuplib.dll
[2005/05/18 14:55:29 | 000,155,648 | ---- | C] () -- C:\WINNT\System32\TVModeLib.dll
[2005/05/18 14:55:26 | 000,034,915 | ---- | C] () -- C:\WINNT\System32\1_ssetup.ini
[2005/05/18 14:55:26 | 000,023,091 | ---- | C] () -- C:\WINNT\System32\sunistlog.ini
[2005/05/17 18:50:04 | 000,002,360 | ---- | C] () -- C:\WINNT\System32\dhcpctrs.ini
[2005/05/17 11:48:51 | 000,011,597 | ---- | C] () -- C:\WINNT\System32\dnsperf.ini
[1999/12/07 05:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/12/07 05:00:00 | 000,133,752 | ---- | C] () -- C:\WINNT\System32\schema.ini
[1999/12/07 05:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[1999/12/07 05:00:00 | 000,022,582 | ---- | C] () -- C:\WINNT\System32\ntdsctrs.ini
[1999/12/07 05:00:00 | 000,020,386 | ---- | C] () -- C:\WINNT\System32\ntfrsrep.ini
[1999/12/07 05:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[1999/12/07 05:00:00 | 000,005,597 | ---- | C] () -- C:\WINNT\System32\ntfrscon.ini
[1999/12/07 05:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[1999/09/25 03:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 03:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== LOP Check ==========

[2005/05/18 18:57:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2005/05/20 13:49:10 | 000,000,122 | ---- | M] () -- C:\WINNT\Tasks\Critical Battery Alarm Program.job
[2005/05/20 13:48:07 | 000,000,122 | ---- | M] () -- C:\WINNT\Tasks\Low Battery Alarm Program.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Microsoft UAM Volume:AFP_AfpInfo
@Alternate Data Stream - 44 bytes -> C:\Microsoft UAM Volume:AFP_DeskTop
@Alternate Data Stream - 4096 bytes -> C:\Microsoft UAM Volume:AFP_IdIndex
< End of report >


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 03 May 2010 - 03:08 PM

Nothing showing on OTL. The error messages seem to indicate the possible problem.

As for malware there doesn't appear to be a problem though. smile.gif


Posted Image
m0le is a proud member of UNITE

#11 ssix

ssix
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 04 May 2010 - 11:32 AM

I'll have the IT guy review the errors and solution you noted.

still curious about the issues quoted below:


QUOTE(ssix @ Apr 30 2010, 09:14 PM) View Post
Hi m0le,
don't know what else might be comprimised...
can't down load combofix from your links - page cannot be displayed
when I right click to save target as - connection with server was reset
then I used firefox on different workstaion on network - file saved disappears
finally teathered my blackberry and downloaded the file and saved to the server renamed
on running comfix.exe get error message that OS not supported (server on windows 2000 server platform)
Help!



We are building a new server with a new O/S (2008 server) planning to bring online this week. want to clean this one up before we transfer any data...

Thx

#12 ssix

ssix
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 04 May 2010 - 11:37 AM

also forgot to mention that the error messages showing in the log have only been coming up since I disconnected the server from the internet and network. Also when i ran Defogger we left the CD Emulation drivers disabled. this ok?


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 04 May 2010 - 02:59 PM

It's okay to leave the emulation drivers disabled.


As for the Combofix problem...

Can you try and run the Combofix file that you downloaded using the command prompt:

Disable your antivirus before running ComboFix, as it will prevent ComboFix from working.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\comfix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 ssix

ssix
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 05 May 2010 - 01:39 PM

Ok ran per your instructions:

same error 2 windows open

Error - win 32 only
incompatible OS. Combofix only works for workstations with windows 2000 and XP. (repeats in various languages)

additional red X error window opens.
32788R22FWJFW\N.pif
X access to specific device, path or file is denied

Thx

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 06 May 2010 - 10:02 PM

Okay, thanks.


Can you run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users