Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.bot, win32:patched-rr


  • This topic is locked This topic is locked
11 replies to this topic

#1 troyd1

troyd1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 17 October 2010 - 07:42 PM

We have multiple infected pc's. When I tried to load mbam directly, it modified the exe so it would not run. If I run sfc.exe, it shows hundreds of files that are the wrong version in my syslog. The is running server 2000. If I move an infected fily to my pc, avast says the file is infected with win32:patched-rr. Winclam shows nothing. I loaded mbam on a different drive and installed it and it says I have 10 infected files that have backdoor.bot. It is definetly monifying exe's. Here are the logs:

dds.txt

DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 11:02:26.48 on Sun 10/17/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.1.1033.18.511.93 [GMT -4:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\sfmprint.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\IBM\unishared\unirpc\unirpcd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
C:\Program Files\SmartSync Pro\SmartSync.exe
C:\Program Files\SmartSync Software\SmartSync Pro\SmSrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SmartSync Pro] "c:\program files\smartsync pro\SmartSync.exe" /Logon
uRun: [SmartSync Pro 3] "c:\program files\smartsync software\smartsync pro\SmartSync.exe" /Logon
mRun: [AtiPTA] Atiptaxx.exe
mRun: [AuCaption] DSA OMSA Reminder
mRun: [AuFlag] 2 (0x2)
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [NA1Messenger] c:\ups\wstd\policymgr\NA1Msgr.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38279.646412037
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {D4DB2686-7EE2-4DFC-B6C2-AE1763A98612} = 64.83.0.10,209.137.160.3
LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli

============= SERVICES / DRIVERS ===============

R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [2004-10-19 74448]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [2002-8-1 362083]
R2 AppleTalk;AppleTalk Protocol;c:\winnt\system32\drivers\sfmatalk.sys [2004-10-19 148400]
R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2002-9-19 53248]
R2 MacFile;File Server for Macintosh;c:\winnt\system32\SFMSVC.EXE [2004-10-19 68368]
R2 MacPrint;Print Server for Macintosh;c:\winnt\system32\sfmprint.exe [2004-10-19 85264]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 unirpc;Uni RPC Service;c:\ibm\unishared\unirpc\unirpcd.exe [2004-12-15 45056]
R3 ati2mpad;ati2mpad;c:\winnt\system32\drivers\ati2mpad.sys [2004-10-19 323793]
R3 dfmirage;dfmirage;c:\winnt\system32\drivers\dfmirage.sys [2004-5-8 9728]
R3 MACSRV;SFM Kernel Driver;c:\winnt\system32\drivers\sfmsrv.sys [2004-10-19 154160]
R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2004-10-19 12336]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-10-19 49776]
S3 CA_LIC_CLNT;CA License Client;c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [2002-9-19 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe [2002-9-19 77824]
S3 NtFrs;File Replication;c:\winnt\system32\ntfrs.exe [2004-10-19 745232]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2004-10-19 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2004-10-19 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2004-10-19 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2004-10-19 18264]
S3 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [2004-10-19 92944]
S4 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2004-10-19 27408]
S4 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [2004-10-19 33552]
S4 UDDBMS6.1;UniData Database Service 6.1;c:\ibm\ud61\bin\startudsrv.exe [2004-12-15 135168]
S4 UDInetD6.1;UniData ObjectCall Server 6.1;c:\ibm\ud61\bin\udinetd.exe [2004-12-15 114688]
S4 UDNFA6.1;UniData NFA Server 6.1;c:\ibm\ud61\bin\udnfa.exe --> c:\ibm\ud61\bin\UDNFA.exe [?]
S4 UDSerial6.1;UniData Terminal Server 6.1;c:\ibm\ud61\bin\udserial.exe --> c:\ibm\ud61\bin\UDSerial.exe [?]
S4 UDTelnetD6.1;UniData Telnet Service 6.1;c:\ibm\ud61\bin\udtelnetd.exe [2004-12-15 40960]

=============== Created Last 30 ================

2010-10-17 14:08:51 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-10-17 14:08:38 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-10-17 14:08:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-17 14:08:35 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-10-17 14:08:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 11:40:40 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\SmartSync Software
2010-10-13 11:40:39 -------- d-----w- c:\program files\SmartSync Software

==================== Find3M ====================


============= FINISH: 11:02:56.03 ===============

I started gmer, and it has been running all day. The computer is running very slow. Should reboot or something and try it?



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 PM

Posted 27 October 2010 - 06:44 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    winlogon.exe
    wininit.exe
    explorer.exe
    hlp.dat
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 troyd1

troyd1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 28 October 2010 - 01:26 PM

OTL.TXT:
OTL logfile created on: 10/28/2010 1:55:31 PM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Advanced Server Edition Service Pack 4 (Version = 5.0.2195) - Type = NTServer
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 154.00 Mb Available Physical Memory | 30.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 20.37 Gb Free Space | 54.73% Space Free | Partition Type: NTFS
Drive D: | 372.61 Gb Total Space | 9.65 Gb Free Space | 2.59% Space Free | Partition Type: NTFS
Drive F: | 372.61 Gb Total Space | 8.26 Gb Free Space | 2.22% Space Free | Partition Type: NTFS
Drive G: | 372.61 Gb Total Space | 82.11 Gb Free Space | 22.04% Space Free | Partition Type: NTFS

Computer Name: SERVER-TWO | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/28 13:53:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/08/12 15:03:42 | 001,915,728 | ---- | M] (SmartSync Software) -- C:\Program Files\SmartSync Software\SmartSync Pro\SmSrvc.exe
PRC - [2008/06/07 11:06:12 | 001,149,952 | ---- | M] (SmartSync Software) -- C:\Program Files\SmartSync Pro\SmartSync.exe
PRC - [2006/12/08 03:15:02 | 000,020,480 | ---- | M] ( ) -- C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
PRC - [2005/05/04 01:04:28 | 009,150,464 | ---- | M] (Microsoft Corporation) -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
PRC - [2005/01/13 10:19:18 | 000,085,264 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\LLSSRV.EXE
PRC - [2004/09/07 08:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2004/06/11 16:54:22 | 000,045,056 | ---- | M] (IBM Corporation) -- C:\IBM\unishared\unirpc\unirpcd.exe
PRC - [2004/06/01 15:03:49 | 000,528,384 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\WinVNC.exe
PRC - [2003/11/25 14:26:52 | 000,270,336 | ---- | M] (ATI Technologies, Inc.) -- C:\WINNT\system32\atiptaxx.exe
PRC - [2003/06/19 15:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 15:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/19 15:05:04 | 000,090,896 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\dfssvc.exe
PRC - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\SFMSVC.EXE
PRC - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\inetsrv\inetinfo.exe
PRC - [2003/02/13 10:25:48 | 000,493,024 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\eTrust Antivirus\Realmon.exe
PRC - [2003/02/13 10:24:30 | 000,234,976 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\eTrust Antivirus\InoTask.exe
PRC - [2003/02/13 10:24:04 | 000,230,880 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\eTrust Antivirus\InoRT.exe
PRC - [2003/02/13 10:24:00 | 000,144,864 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
PRC - [2002/09/19 20:29:28 | 000,053,248 | ---- | M] (Computer Associates) -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
PRC - [2002/08/01 01:14:26 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [1999/12/07 08:00:00 | 000,085,264 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\sfmprint.exe


========== Modules (SafeList) ==========

MOD - [2010/10/28 13:53:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2004/06/01 15:02:41 | 000,032,768 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\VNCHooks.dll
MOD - [2003/06/19 15:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
MOD - [2003/06/19 15:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
MOD - [1999/12/07 08:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\IBM\ud61\bin\UDSerial.exe -- (UDSerial6.1)
SRV - File not found [Disabled | Stopped] -- C:\IBM\ud61\bin\UDNFA.exe -- (UDNFA6.1)
SRV - [2005/05/04 01:04:28 | 009,150,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -- (MSSQL$UPSWSDBSERVER)
SRV - [2005/05/03 22:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -- (SQLAgent$UPSWSDBSERVER)
SRV - [2005/01/13 10:19:18 | 000,085,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\LLSSRV.EXE -- (LicenseService)
SRV - [2004/09/07 08:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2004/06/11 16:54:36 | 000,135,168 | ---- | M] (IBM Corporation) [Disabled | Stopped] -- C:\IBM\ud61\bin\startudsrv.exe -- (UDDBMS6.1)
SRV - [2004/06/11 16:54:22 | 000,045,056 | ---- | M] (IBM Corporation) [Auto | Running] -- C:\IBM\unishared\unirpc\unirpcd.exe -- (unirpc)
SRV - [2004/06/11 16:54:22 | 000,040,960 | ---- | M] (IBM Corporation) [Disabled | Stopped] -- C:\IBM\ud61\bin\udtelnetd.exe -- (UDTelnetD6.1)
SRV - [2004/06/11 16:54:20 | 000,114,688 | ---- | M] (IBM Corporation) [Disabled | Stopped] -- C:\IBM\ud61\bin\udinetd.exe -- (UDInetD6.1)
SRV - [2004/06/01 15:03:49 | 000,528,384 | ---- | M] (Constantin Kaplinsky) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2003/06/19 15:05:04 | 000,745,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\ntfrs.exe -- (NtFrs)
SRV - [2003/06/19 15:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 15:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 15:05:04 | 000,144,144 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINNT\system32\termsrv.exe -- (TermService)
SRV - [2003/06/19 15:05:04 | 000,096,528 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 15:05:04 | 000,090,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\dfssvc.exe -- (Dfs)
SRV - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\SFMSVC.EXE -- (MacFile)
SRV - [2003/06/19 15:05:04 | 000,027,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINNT\system32\ismserv.exe -- (IsmServ)
SRV - [2003/06/19 15:05:04 | 000,024,336 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transport Protocol (SMTP)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2003/02/13 10:24:30 | 000,234,976 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\eTrust Antivirus\InoTask.exe -- (InoTask)
SRV - [2003/02/13 10:24:04 | 000,230,880 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\eTrust Antivirus\InoRT.exe -- (InoRT)
SRV - [2003/02/13 10:24:00 | 000,144,864 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\eTrust Antivirus\InoRpc.exe -- (InoRPC)
SRV - [2002/09/19 20:41:00 | 000,077,824 | ---- | M] (Computer Associates) [On_Demand | Stopped] -- C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe -- (CA_LIC_SRVR)
SRV - [2002/09/19 20:29:28 | 000,053,248 | ---- | M] (Computer Associates) [Auto | Running] -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe -- (LogWatch)
SRV - [2002/09/19 20:27:04 | 000,077,824 | ---- | M] (Computer Associates) [On_Demand | Stopped] -- C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe -- (CA_LIC_CLNT)
SRV - [1999/12/07 08:00:00 | 000,085,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\sfmprint.exe -- (MacPrint)


========== Driver Services (SafeList) ==========

DRV - [2004/12/28 11:41:48 | 000,058,000 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\System32\drivers\cdr4_2K.sys -- (Cdr4_2K)
DRV - [2004/12/28 11:41:48 | 000,023,420 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/05/08 04:27:02 | 000,009,728 | ---- | M] (DemoForge, LLC) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\dfmirage.sys -- (dfmirage)
DRV - [2003/11/12 18:56:52 | 000,046,581 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2003/11/12 18:56:24 | 001,086,821 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2003/11/12 18:55:32 | 000,618,057 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2003/11/12 18:54:52 | 000,031,440 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/10/29 23:52:18 | 000,323,793 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2003/10/25 02:00:56 | 000,129,904 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e1000nt5.sys -- (E1000) Intel®
DRV - [2003/06/19 15:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 15:05:04 | 000,154,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINNT\system32\drivers\sfmsrv.sys -- (MACSRV)
DRV - [2003/06/19 15:05:04 | 000,148,400 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\sfmatalk.sys -- (AppleTalk)
DRV - [2003/06/19 15:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 15:05:04 | 000,074,448 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINNT\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2003/06/19 15:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 15:05:04 | 000,049,776 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [2003/06/19 15:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 15:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 15:05:04 | 000,020,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\tdipx.sys -- (TDIPX)
DRV - [2003/06/19 15:05:04 | 000,018,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\tdnetb.sys -- (TDNETB)
DRV - [2003/06/19 15:05:04 | 000,018,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\tdspx.sys -- (TDSPX)
DRV - [2003/06/19 15:05:04 | 000,012,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\tdasync.sys -- (TDASYNC)
DRV - [2003/06/19 15:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 15:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2003/01/03 16:12:52 | 000,113,728 | ---- | M] (Computer Associates) [File_System | Auto | Running] -- C:\WINNT\system32\drivers\ino_fltr.sys -- (INO_FLTR)
DRV - [2003/01/03 14:08:14 | 000,019,776 | ---- | M] (Computer Associates) [File_System | Boot | Running] -- C:\WINNT\system32\Drivers\ino_flpy.sys -- (INO_FLPY)
DRV - [2002/08/01 01:25:24 | 000,227,266 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\System32\drivers\udfreadr.sys -- (UdfReadr)
DRV - [2002/08/01 01:20:12 | 000,025,578 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/08/01 01:20:06 | 000,030,246 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/08/01 01:19:58 | 000,132,058 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/08/01 01:19:46 | 000,362,083 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\System32\drivers\cdudf.sys -- (cdudf)
DRV - [2002/05/31 04:35:02 | 000,076,976 | R--- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\pnp680r.sys -- (Pnp680r)
DRV - [1999/12/07 08:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [1999/12/07 08:00:00 | 000,012,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\spud.sys -- (spud)
DRV - [1999/12/07 08:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1614895754-1275210071-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
IE - HKU\S-1-5-21-1614895754-1275210071-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1614895754-1275210071-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([1999/12/07 08:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [AtiPTA] C:\WINNT\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AuCaption] File not found
O4 - HKLM..\Run: [AuFlag] Reg Error: Invalid data type. File not found
O4 - HKLM..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe ( )
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust Antivirus\Realmon.exe (Computer Associates International, Inc.)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe (Constantin Kaplinsky)
O4 - HKU\S-1-5-21-1614895754-1275210071-725345543-500..\Run: [SmartSync Pro] C:\Program Files\SmartSync Pro\SmartSync.exe (SmartSync Software)
O4 - HKU\S-1-5-21-1614895754-1275210071-725345543-500..\Run: [SmartSync Pro 3] C:\Program Files\SmartSync Software\SmartSync Pro\SmartSync.exe (SmartSync Software)
O4 - HKU\.DEFAULT..\RunOnce: [!teamcfg] C:\WINNT\..\dell\nicteaming\intel\nicteamconfig.bat File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1614895754-1275210071-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1614895754-1275210071-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38279.646412037 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/19 18:15:32 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (DfsInit) - C:\WINNT\System32\DfsInit.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: dmadmin - C:\WINNT\System32\dmadmin.exe (VERITAS Software Corp.)
SafeBootMin: dmboot.sys - C:\WINNT\system32\drivers\dmboot.sys (VERITAS Software Corp.)
SafeBootMin: dmio.sys - C:\WINNT\System32\drivers\dmio.sys (VERITAS Software Corp.)
SafeBootMin: dmload.sys - C:\WINNT\System32\drivers\dmload.sys (VERITAS Software Corp.)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: sglfb.sys - File not found
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: tga.sys - File not found
SafeBootMin: vga.sys - Driver
SafeBootMin: WinMgmt - C:\WINNT\system32\wbem\WinMgmt.exe (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {02f78298-8af6-495c-9ecb-b6ae68678186} - KB867282
ActiveX: {04d6265d-6b5d-41c3-9e7c-48be15919643} - KB890923
ActiveX: {08a00762-7c1e-42c2-87f0-ca3600045cd7} - KB941202
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {0fde1f56-0d59-4fd7-9624-e3df6b419d0e} - Internet Explorer ReadMe
ActiveX: {0fde1f56-0d59-4fd7-9624-e3df6b419d0f} - IEEX
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {110e3a85-a9d6-4220-a14a-d39588fa4763} - KB947864
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {2337076a-dd0c-43a6-8d85-54070578a42f} - KB912812
ActiveX: {28023b22-f71e-43e8-8ea4-de315462878d} - KB933566
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3c0d61fe-1db3-4d0b-8477-3cb53eab9469} - KB951066
ActiveX: {3e7bb08a-a7a3-4692-8eac-ac5e7895755b} - KB834707
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4d64f3ba-f112-4efe-a02e-96680859937c} - KB918899
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5c9ff2bf-938d-47fe-85d9-9dbab4f65018} - KB897715
ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {685e3910-1f77-49b9-9434-50bcd95c51ab} - KB905495
ActiveX: {689e5762-8d75-4346-90cf-bc1902c32d63} - KB896688
ActiveX: {6A5110B5-E14B-4268-A065-EF89FF33C325} - regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {706b15de-aa6d-4c4f-8699-1b0a991228b7} - KB939653
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {79844cfb-ac65-4e10-a06a-c974234f40d0} - KB883939
ActiveX: {7d16667b-0ff7-4c6b-9fcf-775578e89cc2} - KB922760
ActiveX: {80b81c71-14cd-41c3-9e8c-08b9e06d02ef} - KB960714
ActiveX: {82ced0ff-a00d-4405-ba5f-ef4699159333} - KB896727
ActiveX: {839117ee-2132-4bae-a56a-42b50204c9b9} - KB889293
ActiveX: {83ACCF02-DFA1-4555-AAF2-529EC15ACE27} - Microsoft .NET Framework 1.1 Hotfix (KB947742)
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\System32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install
ActiveX: {8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98} - Internet Explorer Q903235
ActiveX: {8D1D0E9A-C799-4D28-9E29-0061D1E66E43} - Microsoft .NET Framework 1.1 Hotfix (KB928366)
ActiveX: {90b0bef8-22d6-40a8-92c8-155434fc112f} - KB938127
ActiveX: {9311e53c-4c8c-4b8f-aa80-6b16de179d70} - KB925454
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {95177e6d-aaa9-44d1-bebd-b380bce3be79} - KB937143
ActiveX: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
ActiveX: {a5653fdf-8d3a-451b-937f-6c7534804953} - KB923694
ActiveX: {a99b636e-f3ca-4adc-bcde-a4b451cd65d4} - KB942615
ActiveX: {ae594d5e-dd07-4e54-8252-daa5aebbd4ec} - KB905915
ActiveX: {c1f0071f-505e-40bc-babe-3240af80b5cf} - KB950759
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {da53c936-c804-4f62-a1d2-6cf6d1591b66} - KB948881
ActiveX: {dd772a76-bef3-44d7-8b39-502c8504c1f1} - KB925486
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {e41091c0-06d5-474f-836e-dd190348ea18} - KB958215
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {eb6ab742-eb17-446b-8ce7-dff2bc7cbf93} - KB931768
ActiveX: {ee714f0a-76c6-4126-a55e-1e43c11884a7} - KB944533
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {f156e5b2-f52e-4094-800c-e7392fe62314} - KB938464
ActiveX: {f15ee071-deb7-4cbb-951f-431c98338d8e} - KB911567
ActiveX: {f4de1058-dafc-4d16-b294-6ea1125bf3d3} - KB929969
ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353
ActiveX: {f54910c7-a2f3-4ca4-81b2-4a43a5e2680a} - KB916281
ActiveX: {fd4aedf6-1163-4f9c-bbf2-11aec5b873b0} - KB953838
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} -
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -

Drivers32: aux - C:\WINNT\System32\mmdrv.dll (Microsoft Corporation)
Drivers32: aux1 - File not found
Drivers32: aux2 - File not found
Drivers32: aux3 - File not found
Drivers32: aux4 - File not found
Drivers32: aux5 - File not found
Drivers32: aux6 - File not found
Drivers32: aux7 - File not found
Drivers32: aux8 - File not found
Drivers32: aux9 - File not found
Drivers32: midi1 - File not found
Drivers32: midi2 - File not found
Drivers32: midi3 - File not found
Drivers32: midi4 - File not found
Drivers32: midi5 - File not found
Drivers32: midi6 - File not found
Drivers32: midi7 - File not found
Drivers32: midi8 - File not found
Drivers32: midi9 - File not found
Drivers32: mixer1 - File not found
Drivers32: mixer2 - File not found
Drivers32: mixer3 - File not found
Drivers32: mixer4 - File not found
Drivers32: mixer5 - File not found
Drivers32: mixer6 - File not found
Drivers32: mixer7 - File not found
Drivers32: mixer8 - File not found
Drivers32: mixer9 - File not found
Drivers32: msacm.iac2 - C:\WINNT\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINNT\System32\l3codecx.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINNT\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINNT\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINNT\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINNT\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINNT\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINNT\System32\ir32_32.dll ()
Drivers32: vidc.iv50 - C:\WINNT\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave1 - C:\WINNT\System32\serwvdrv.dll (Microsoft Corporation)
Drivers32: wave2 - File not found
Drivers32: wave3 - File not found
Drivers32: wave4 - File not found
Drivers32: wave5 - File not found
Drivers32: wave6 - File not found
Drivers32: wave7 - File not found
Drivers32: wave8 - File not found
Drivers32: wave9 - File not found

NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/10/28 13:53:27 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/10/17 10:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/10/17 10:08:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/10/17 10:08:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/10/17 10:08:35 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/10/17 10:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/13 07:40:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\SmartSync Software
[2010/10/13 07:40:39 | 000,000,000 | ---D | C] -- C:\Program Files\SmartSync Software
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/28 13:53:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/10/28 10:31:38 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_7e0.dat
[2010/10/28 10:19:04 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_2fc.dat
[2010/10/26 11:05:08 | 001,199,186 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2010/10/24 13:56:17 | 000,000,212 | ---- | M] () -- C:\WINNT\tasks\7z E-mail.job
[2010/10/18 09:48:42 | 535,826,432 | ---- | M] () -- C:\WINNT\MEMORY.DMP
[2010/10/18 08:17:37 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_7d0.dat
[2010/10/18 08:13:38 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_378.dat
[2010/10/17 11:07:42 | 000,285,230 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/10/17 10:08:41 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/16 18:08:56 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_6dc.dat
[2010/10/16 13:33:57 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_398.dat
[2010/10/16 13:18:48 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_3fc.dat
[2010/10/16 12:59:46 | 000,544,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/10/16 12:56:32 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/10/15 18:05:50 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2010/10/13 07:40:51 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SmartSync Pro 3.lnk
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/28 10:31:38 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_7e0.dat
[2010/10/28 10:31:38 | 000,000,063 | ---- | C] () -- C:\Documents and Settings\Administrator\20101028NA1.log
[2010/10/28 10:19:04 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_2fc.dat
[2010/10/18 08:17:37 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_7d0.dat
[2010/10/18 08:17:36 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\Administrator\20101018NA1.log
[2010/10/18 08:13:38 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_378.dat
[2010/10/17 11:08:23 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2010/10/17 11:07:40 | 000,285,230 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/10/17 11:02:02 | 000,544,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/10/17 10:08:41 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/16 18:08:56 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_6dc.dat
[2010/10/16 13:33:57 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_398.dat
[2010/10/16 13:18:48 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3fc.dat
[2010/10/16 12:56:14 | 000,000,249 | ---- | C] () -- C:\Documents and Settings\Administrator\20101016NA1.log
[2010/10/13 07:40:51 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SmartSync Pro 3.lnk
[2010/09/30 14:11:50 | 000,000,061 | ---- | C] () -- C:\Documents and Settings\Administrator\20100930NA1.log
[2007/09/05 13:36:25 | 000,000,049 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2007/03/01 15:31:57 | 000,000,143 | ---- | C] () -- C:\WINNT\wstdUPSWSHIP.INI
[2007/03/01 15:28:53 | 000,180,224 | ---- | C] () -- C:\WINNT\System32\nssckbi.dll
[2007/03/01 15:18:36 | 000,001,117 | ---- | C] () -- C:\WINNT\ODBC.INI
[2007/02/28 10:42:53 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2004/12/15 12:28:57 | 000,684,032 | ---- | C] () -- C:\WINNT\System32\U2libeay32.dll
[2004/12/15 12:28:57 | 000,155,648 | ---- | C] () -- C:\WINNT\System32\U2ssleay32.dll
[2004/12/02 17:33:00 | 000,000,132 | ---- | C] () -- C:\WINNT\wininit.ini
[2004/10/25 11:38:34 | 000,000,047 | ---- | C] () -- C:\WINNT\InoSetup.ini
[2004/10/19 18:55:39 | 000,017,168 | ---- | C] () -- C:\WINNT\System32\ismsink.dll
[2004/10/19 18:14:53 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2004/10/19 18:14:27 | 000,000,000 | ---- | C] () -- C:\WINNT\frontpg.ini
[2004/10/19 17:52:28 | 000,133,752 | ---- | C] () -- C:\WINNT\System32\schema.ini
[2004/10/19 17:52:24 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2004/10/19 17:52:18 | 000,022,582 | ---- | C] () -- C:\WINNT\System32\ntdsctrs.ini
[2004/10/19 17:52:18 | 000,020,386 | ---- | C] () -- C:\WINNT\System32\ntfrsrep.ini
[2004/10/19 17:52:18 | 000,005,597 | ---- | C] () -- C:\WINNT\System32\ntfrscon.ini
[2004/10/19 17:51:32 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2004/10/19 17:51:28 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[2004/10/19 17:51:26 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2004/10/19 14:12:18 | 000,021,789 | ---- | C] () -- C:\WINNT\System32\smtpctrs.ini
[2004/10/19 14:12:18 | 000,001,037 | ---- | C] () -- C:\WINNT\System32\ntfsdrct.ini
[2004/10/19 14:11:49 | 000,038,523 | ---- | C] () -- C:\WINNT\System32\w3ctrs.ini
[2004/10/19 14:11:49 | 000,009,584 | ---- | C] () -- C:\WINNT\System32\axperf.ini
[2004/10/19 14:11:47 | 000,011,355 | ---- | C] () -- C:\WINNT\System32\infoctrs.ini
[2004/10/19 14:02:17 | 000,131,072 | R--- | C] () -- C:\WINNT\System32\e1000msg.dll
[2004/10/19 14:01:13 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[1999/09/25 06:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 06:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2004/11/18 04:41:06 | 000,122,880 | ---- | M] (Igor Pavlov) -- C:\7z.exe
[2008/06/11 10:28:15 | 010,662,355 | ---- | M] (Computer Associates Int'l ) -- C:\fv_nt86.exe


< MD5 for: EXPLORER.EXE >
[2003/06/19 15:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) MD5=59CF2B7DCED9111F48F51B4B570E672D -- C:\WINNT\explorer.exe
[2003/06/19 15:05:04 | 000,245,520 | ---- | M] (Microsoft Corporation) MD5=AAB07C56AFABCA84E036D09A7EEEC1B4 -- C:\WINNT\ServicePackFiles\i386\explorer.exe
[2003/06/19 15:05:04 | 000,245,520 | ---- | M] (Microsoft Corporation) MD5=AAB07C56AFABCA84E036D09A7EEEC1B4 -- C:\WINNT\system32\dllcache\explorer.exe

< MD5 for: WINLOGON.EXE >
[2003/06/19 15:05:04 | 000,181,008 | ---- | M] (Microsoft Corporation) MD5=3980C28D116D438BBB36FB38526FDE1A -- C:\WINNT\$NtUninstallKB840987$\winlogon.exe
[2003/06/19 15:05:04 | 000,181,008 | ---- | M] (Microsoft Corporation) MD5=3980C28D116D438BBB36FB38526FDE1A -- C:\WINNT\ServicePackFiles\i386\winlogon.exe
[2004/08/24 18:59:09 | 000,182,544 | ---- | M] (Microsoft Corporation) MD5=5922E8055EB439A58EF29530D8567A40 -- C:\WINNT\$NtUninstallKB841533$\winlogon.exe
[2004/08/24 18:59:09 | 000,182,544 | ---- | M] (Microsoft Corporation) MD5=5922E8055EB439A58EF29530D8567A40 -- C:\WINNT\$NtUpdateRollupPackUninstall$\winlogon.exe
[2005/04/08 04:51:16 | 000,186,640 | ---- | M] (Microsoft Corporation) MD5=BB1DAF6A5737652646D52665251A0265 -- C:\WINNT\system32\dllcache\winlogon.exe
[2005/04/08 04:51:16 | 000,186,640 | ---- | M] (Microsoft Corporation) MD5=BB1DAF6A5737652646D52665251A0265 -- C:\WINNT\system32\WINLOGON.EXE

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINNT\system32\*.tmp files -> C:\WINNT\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/10/19 13:58:38 | 000,081,920 | ---- | M] () -- C:\WINNT\system32\config\default.sav
[2004/10/19 13:58:38 | 000,540,672 | ---- | M] () -- C:\WINNT\system32\config\software.sav
[2004/10/19 13:58:38 | 000,376,832 | ---- | M] () -- C:\WINNT\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Microsoft UAM Volume:AFP_AfpInfo
@Alternate Data Stream - 44 bytes -> C:\Microsoft UAM Volume:AFP_DeskTop
@Alternate Data Stream - 4096 bytes -> C:\Microsoft UAM Volume:AFP_IdIndex

< End of report >

Extras.Txt:
OTL Extras logfile created on: 10/28/2010 1:55:31 PM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Advanced Server Edition Service Pack 4 (Version = 5.0.2195) - Type = NTServer
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 154.00 Mb Available Physical Memory | 30.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 20.37 Gb Free Space | 54.73% Space Free | Partition Type: NTFS
Drive D: | 372.61 Gb Total Space | 9.65 Gb Free Space | 2.59% Space Free | Partition Type: NTFS
Drive F: | 372.61 Gb Total Space | 8.26 Gb Free Space | 2.22% Space Free | Partition Type: NTFS
Drive G: | 372.61 Gb Total Space | 82.11 Gb Free Space | 22.04% Space Free | Partition Type: NTFS

Computer Name: SERVER-TWO | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== Firewall Settings ==========

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{062634E2-1D6A-456A-8D6B-29B83C04DB37}" = UniAdmin
"{2792F12C-3515-4D69-8083-B557AF35F06F}" = LightScribe 1.4.89.1
"{2A033A00-FE0D-4609-B0E8-2C49CC494FC8}" = WorldShip
"{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}" = Data Lifeguard
"{30C10EE3-EFB3-4B7A-9CDC-50790C2B5200}" = CA Licensing
"{33035862-543C-4405-9CC6-08593CF2C25F}" = ReportServer
"{447716E9-424F-4DA4-92C3-A52B597E1EC7}" =
"{451D153E-24FF-4089-B4B2-B62A669EB63F}" = UniData RDBMS 6.1
"{4AE3EAC8-FAD9-4ECC-A339-BBAD8C72DE71}" = UPSDB
"{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}" = GetDataBack for NTFS
"{56B59C2A-EFB8-44AC-88F5-3280171E4522}" = PolicyManager
"{5AE59A84-B2F3-42CC-A246-5AF80F6EE770}" = Reconciler
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{68AF09E3-1167-4771-903C-CCCDCF7E171C}" = NRF
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{8C5BD501-AD5D-4A75-9321-076509B438FC}" = WebHelp
"{8DE4AC83-5D22-40C5-B4D1-CC2285C0CAA0}" =
"{9376D1C4-434F-40C9-90AC-ED6F22D36F3A}" = NA1Messenger
"{95749C5B-BC37-41E3-8D39-EEF4C21A2825}" = CCC
"{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}" = DiscWizard for Windows
"{AA9DAC4C-E69D-43C0-8015-6036004D80FE}" = WhosOn Client
"{C30E30A6-0AB5-470A-AB67-D322938F5429}" = SupportUtility
"{C9D43B38-34AD-4EC2-B696-46F42D49D174}" = MSIChecker
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D629903C-0C85-4425-ACE5-38CFD312AF0B}" = ActivePerl 5.8.4 Build 810
"{DB2C58E0-6284-4B48-97F2-22A980B6360B}" = System
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (UPSWSDBSERVER)
"{EA9629DA-5715-48BA-B054-28169702B176}" = FOSS
"{ED782024-4713-4DD6-85FA-B2B038DE4007}" = RRU
"7-Zip" = 7-Zip 4.12 beta
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"ATI Display Driver" = ATI Display Driver
"AVANTRIX CD-DVD Writer_is1" = AVANTRIX CD-DVD Writer v1.0
"DVD Identifier_is1" = DVD Identifier
"eTrust Antivirus" = CA eTrust Antivirus
"Intel® 537 Modem" = Intel® 537 Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"NeroMultiInstaller!UninstallKey" = Nero Suite
"PROSet" = Intel® PRO Network Adapters and Drivers
"Q828026" = Windows Media Player Hotfix [See Q828026 for more information]
"Q903235" = Internet Explorer Q903235
"SmartSync Pro" = SmartSync Pro
"SmartSync Pro 3" = SmartSync Pro 3
"The File Splitter 1.31_is1" = The File Splitter 1.31
"Update Rollup 1" = Update Rollup 1 for Windows 2000 SP4
"UPS WorldShip" = UPS WorldShip
"WhosOn Client" = WhosOn Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonDataConv" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonDynArray" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonDynFile" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonFileIo" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonIndex" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonLock" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonMglm" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonMsg" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonProg" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

Error - 10/28/2010 10:31:45 AM | Computer Name = SERVER-TWO | Source = Perflib | ID = 1008
Description = The Open Procedure for service "UdtMonSeqIo" in DLL "C:\IBM\ud61\Udtmon\UdtMon.dll"
failed. Performance data for this service will not be available. Status code returned
is data DWORD 0.

[ System Events ]
Error - 10/18/2010 8:15:45 AM | Computer Name = SERVER-TWO | Source = EventLog | ID = 6000
Description = The Application log file is full.

Error - 10/18/2010 8:15:34 AM | Computer Name = SERVER-TWO | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:13:18 AM on 10/18/2010 was unexpected.

Error - 10/18/2010 9:45:59 AM | Computer Name = SERVER-TWO | Source = EventLog | ID = 6000
Description = The Application log file is full.

Error - 10/18/2010 9:45:44 AM | Computer Name = SERVER-TWO | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:40:38 AM on 10/18/2010 was unexpected.


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 PM

Posted 01 November 2010 - 06:19 AM

Hi,

could you please upload the patched file here:

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the file, then click Submit.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 troyd1

troyd1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 01 November 2010 - 06:42 AM

Scanners
2010-11-01 Found nothing 2010-11-01 Win32.Murofet.A
2010-11-01 Win32:Patched-RR 2010-11-01 Trojan-Downloader.Win32.Murofet
2010-10-31 Win32/Murof 2010-10-31 Virus.Win32.Murofet.a
2010-11-01 W32/Murofet.A 2010-11-01 Win32/TrojanDownloader.Small.PAC Patched
2010-11-01 Win32.Murofet.A 2010-11-01 W32/Patched.AE
2010-11-01 Found nothing 2010-11-01 W32.Murofet.A
2010-11-01 Found nothing 2010-11-01 W32/Murofet-A
2010-11-01 Win32.Panda 2010-10-29 Virus.Win32.Murofet.A
2010-11-01 W32/Murofet.A 2010-10-31 Win32.ZBot.Gen
2010-11-01 Win32.Murofet.A

The scanners did not come over with the cut and paste.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 PM

Posted 01 November 2010 - 07:36 AM

Hi,

that is not so important, however I would like to have the additional file informatoin: the name, the md5 and such.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 troyd1

troyd1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 01 November 2010 - 07:40 AM

I went to the syslog and there are many files that are corrupt, but the one I used was comp.exe. Here is the additional info.
File size: 17680 bytes
Filetype: PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5: a5a7d2eb9cb7abca2b6d59e978ad3b84
SHA1: 9ec2f9ebc9d4a9d86fd81e30b25c4f04aae21662

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 PM

Posted 01 November 2010 - 09:05 AM

Hi,

I'm looking into this right now, and checking with a couple of colleagues. But this seems to be a file infector with password stealing capabilities.

For more information see here:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FMurofet.A
http://www.prevx.com/blog/158/WinMurofet-what-day-is-today.html

My advice with file infectors is usually a reformat. Even if you find an anti virus program that can remove the code, there will frequently be broken files, where the wrong portion of code was removed, leading to an unstable PC, which will force you to reformat eventually.

If I see a solution other than a reformat, I'll let you know.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 troyd1

troyd1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 01 November 2010 - 11:00 AM

would combofix possibly fix this? The reformat is a bad option for this machine.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 PM

Posted 02 November 2010 - 03:34 AM

Hi,

ComboFix would definitely not fix this. It is in no way aimed at this type of infection, it would probably break things more than they already are.

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no guarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Any vendor that detected the file at Jotti should be able to find the infected files on your system. Please keep in mind though, that they might delete the files they can not disinfect, leaving your OS unbootable. BleepingComputer can not be held responsible for anything that happens if you try this.
If you want to give it a go anyways, burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.



I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 troyd1

troyd1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 02 November 2010 - 07:14 AM

Thank you for your advice.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:35 PM

Posted 15 November 2010 - 06:22 AM

Since it has gone stale, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users