Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor


  • This topic is locked This topic is locked
40 replies to this topic

#1 hitechredneck

hitechredneck

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 09 May 2011 - 11:38 PM

Had microsoft security Essential and M-bam installed and up to date when infected

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-09 23:26:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0
Running: gmer.exe; Driver: C:\DOCUME~1\ITadmin\LOCALS~1\Temp\awlyrpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8455360, 0x3475F7, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB1BA7A00]
? C:\DOCUME~1\ITadmin\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2204] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2436] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device AA39ED20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.ci 20480 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.ci 20480 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.ci 24576 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0013.000 240 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0013.001 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0013.002 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.ci 8192 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.ci 24576 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.ci 32768 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.ci 69632 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dir 4096 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid 65536 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.ci 28672 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid 65536 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 PM

Posted 20 May 2011 - 02:26 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 20 May 2011 - 04:58 PM

I am running the suggested items. I was without access because of this for several days.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 PM

Posted 20 May 2011 - 05:11 PM

Okay.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 20 May 2011 - 05:23 PM

I had a few machines get infected at the same time. I am not exactly sure which machine this post was for. I think this was it(it is infected) as long as I stay with this one are we ok, or were my previous scans that I posted of importance? I am going to have to do them all at some time anyway. I can probably figure it out anyway with some time.

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 PM

Posted 20 May 2011 - 05:48 PM

I had a few machines get infected at the same time. I am not exactly sure which machine this post was for. I think this was it(it is infected) as long as I stay with this one are we ok, or were my previous scans that I posted of importance? I am going to have to do them all at some time anyway. I can probably figure it out anyway with some time.

Yeah, that's fine. Those other logs weren't of that much importance. I didn't look through them that extensively.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 20 May 2011 - 06:50 PM

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 2003
Version 5.2.3790 (Service Pack 2)
Number of processors #1
==============================================
>Drivers
==============================================
0x80800000 C:\WINDOWS\system32\ntkrnlpa.exe 2424832 bytes (Microsoft Corporation, NT Kernel & System)
0x80800000 PnpManager 2424832 bytes
0x80800000 RAW 2424832 bytes
0x80800000 WMIxWDM 2424832 bytes
0xBF800000 Win32k 1912832 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1912832 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7B4A000 Ntfs.sys 610304 bytes (Microsoft Corporation, NT File System Driver)
0xB982B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 606208 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB95EA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 483328 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9175000 C:\WINDOWS\system32\DRIVERS\srv.sys 409600 bytes (Microsoft Corporation, Server driver)
0xB92F1000 C:\WINDOWS\System32\Drivers\HTTP.sys 331776 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF9EA000 C:\WINDOWS\System32\ATMFD.DLL 307200 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9A9D000 C:\WINDOWS\system32\DRIVERS\update.sys 303104 bytes (Microsoft Corporation, Update Driver)
0xF76C8000 NDIS.sys 258048 bytes (Microsoft Corporation, NDIS 5.2 wrapper driver)
0xB9B0E000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 225280 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7352000 ACPI.sys 212992 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB97FA000 C:\WINDOWS\system32\DRIVERS\netbt.sys 200704 bytes (Microsoft Corporation, MBT Transport driver)
0xB97A0000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 196608 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x80A50000 ACPI_HAL 180224 bytes
0xF72E9000 dmio.sys 180224 bytes (Microsoft Corporation, NT Disk Manager I/O Driver)
0x80A50000 C:\WINDOWS\system32\hal.dll 180224 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB97D0000 C:\WINDOWS\System32\drivers\afd.sys 172032 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB8D10000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB95C0000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 172032 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9BF7000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 172032 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF72BF000 volsnap.sys 172032 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7315000 ftdisk.sys 159744 bytes (Microsoft Corporation, FT Disk Driver)
0xB9AE7000 C:\WINDOWS\system32\DRIVERS\ks.sys 159744 bytes (Microsoft Corporation, Kernel CSA Library)
0xF7225000 KSecDD.sys 155648 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF724B000 fltmgr.sys 151552 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9BD6000 C:\WINDOWS\system32\DRIVERS\SiSGbeXP.sys 135168 bytes (Silicon Integrated Systems Corp., NDIS 5.1 Miniport Driver for SiS191/SiS190 Ethernet Device)
0xF7206000 Mup.sys 126976 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7283000 C:\WINDOWS\system32\drivers\SCSIPORT.SYS 126976 bytes (Microsoft Corporation, SCSI Port Driver)
0xBFF60000 C:\WINDOWS\System32\RDPDD.dll 122880 bytes (Microsoft Corporation, RDP Display Driver)
0xF72A2000 atapi.sys 118784 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9C36000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 114688 bytes (Microsoft Corporation, Video Port Driver)
0xB98BF000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 102400 bytes (Microsoft Corporation, IPSec Driver)
0xB9B57000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 102400 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB9B97000 C:\WINDOWS\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0xBF9D3000 C:\WINDOWS\System32\drivers\dxg.sys 94208 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF733C000 pci.sys 90112 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB959A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 86016 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB9C21000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 86016 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB9BAF000 C:\WINDOWS\system32\DRIVERS\serial.sys 86016 bytes (Microsoft Corporation, Serial Device Driver)
0xB9A68000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 86016 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB9B70000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 81920 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7270000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 77824 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB9B84000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0xB9BC4000 C:\WINDOWS\system32\DRIVERS\el90xbc5.sys 73728 bytes (3Com Corporation, 3Com EtherLink PCI Driver)
0xB9B45000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 73728 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB95AF000 C:\WINDOWS\System32\Drivers\Fips.SYS 69632 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF74D7000 disk.sys 65536 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7507000 gagp30kx.sys 65536 bytes (Microsoft Corporation, MS Generic AGPv3.0 Filter for K8/9 Processor Platforms)
0xF74B7000 MountMgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0xB9E36000 C:\WINDOWS\system32\DRIVERS\amdk8.sys 61440 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF7497000 isapnp.sys 61440 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7617000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7667000 C:\WINDOWS\system32\DRIVERS\termdd.sys 61440 bytes (Microsoft Corporation, Terminal Server Driver)
0xB9958000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 57344 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7637000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 57344 bytes (Microsoft Corporation, NDIS Proxy)
0xB9948000 C:\WINDOWS\system32\DRIVERS\netbios.sys 53248 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB9968000 C:\WINDOWS\System32\Drivers\Npfs.SYS 53248 bytes (Microsoft Corporation, NPFS Driver)
0xF74A7000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 53248 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7677000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 53248 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF74E7000 Dfs.sys 49152 bytes (Microsoft Corporation, Distributed File System Filter Driver)
0xB8870000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 49152 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB9E26000 C:\WINDOWS\system32\DRIVERS\vgapnp.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB9DE6000 C:\WINDOWS\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB9DD6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB9978000 C:\WINDOWS\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0xF74C7000 PartMgr.sys 45056 bytes (Microsoft Corporation, Partition Manager)
0xB9DA6000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 45056 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7627000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0xF74F7000 crcdisk.sys 40960 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0xB9988000 C:\WINDOWS\System32\Drivers\dump_diskdump.sys 40960 bytes
0xB9670000 C:\WINDOWS\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0xF7607000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 40960 bytes (Microsoft Corporation, Floppy Driver)
0xB9DF6000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 40960 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7647000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9DB6000 C:\WINDOWS\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBAF38000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 36864 bytes (Microsoft Corporation, System Management BIOS Driver)
0xBAF08000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 36864 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB89A0000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB9E06000 C:\WINDOWS\system32\DRIVERS\raspti.sys 36864 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB9E16000 C:\WINDOWS\system32\DRIVERS\watchdog.sys 36864 bytes (Microsoft Corporation, Watchdog Driver)
0xF7487000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\audstub.sys 32768 bytes (Microsoft Corporation, AudStub Driver)
0xF770F000 C:\WINDOWS\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0xB9C9A000 C:\WINDOWS\System32\Drivers\dump_SiSRaid2.sys 32768 bytes
0xBFF40000 C:\WINDOWS\System32\framebuf.dll 32768 bytes (Microsoft Corporation, Framebuffer Display Driver)
0xF777F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 32768 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7707000 C:\WINDOWS\system32\KDCOM.DLL 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7797000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 32768 bytes (Microsoft Corporation, Frame buffer simulator)
0xF779F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 32768 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF77A7000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0xF7727000 SiSRaid2.sys 32768 bytes (Silicon Integrated Systems Corp, SiS RAID Miniport Driver)
0xF774F000 C:\WINDOWS\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0xF771F000 dmload.sys 28672 bytes (Microsoft Corporation, NT Disk Manager Startup Driver)
0xF7787000 C:\WINDOWS\System32\drivers\dxgthk.sys 28672 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7757000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF776F000 C:\WINDOWS\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0xB9750000 C:\WINDOWS\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7717000 pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF77CF000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF77B7000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF789B000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7897000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF79DD000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79E3000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
OTL logfile created on: 5/20/2011 5:14:02 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.39 Gb Total Space | 37.02 Gb Free Space | 72.05% Space Free | Partition Type: NTFS
Drive E: | 97.65 Gb Total Space | 93.13 Gb Free Space | 95.37% Space Free | Partition Type: NTFS
Drive F: | 3.77 Gb Total Space | 2.74 Gb Free Space | 72.53% Space Free | Partition Type: NTFS

Computer Name: WS2003 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/20 16:51:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/05/12 23:28:02 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB255.tmp
PRC - [2011/05/12 23:27:41 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB24E.tmp
PRC - [2011/05/12 23:27:20 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB247.tmp
PRC - [2011/05/12 23:25:50 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB239.tmp
PRC - [2011/05/12 23:25:29 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB232.tmp
PRC - [2011/05/12 23:25:08 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB22B.tmp
PRC - [2011/05/12 23:24:48 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB223.tmp
PRC - [2011/05/12 23:23:39 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB21B.tmp
PRC - [2011/05/12 21:18:13 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB20E.tmp
PRC - [2011/05/08 14:54:43 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB1E1.tmp
PRC - [2011/05/04 09:24:54 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB1BE.tmp
PRC - [2011/05/04 01:55:56 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB1B7.tmp
PRC - [2011/05/04 01:55:35 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB1B0.tmp
PRC - [2011/05/04 01:55:14 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB1A9.tmp
PRC - [2011/05/04 01:54:54 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB1A2.tmp
PRC - [2011/05/04 01:53:44 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB19B.tmp
PRC - [2011/05/04 01:53:23 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB193.tmp
PRC - [2011/05/04 01:53:02 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB18B.tmp
PRC - [2011/05/04 01:52:42 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB184.tmp
PRC - [2011/05/04 01:51:34 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB17D.tmp
PRC - [2011/04/26 21:19:09 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB15E.tmp
PRC - [2011/04/22 05:45:17 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB106.tmp
PRC - [2011/04/22 05:44:56 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLBFA.tmp
PRC - [2011/04/22 05:44:35 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLBF3.tmp
PRC - [2011/04/22 05:44:14 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLBEC.tmp
PRC - [2011/04/22 05:43:05 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLBE5.tmp
PRC - [2011/04/22 05:42:44 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLBDE.tmp
PRC - [2011/04/22 05:42:23 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLBCA.tmp
PRC - [2011/04/22 05:42:02 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLBA8.tmp
PRC - [2011/04/22 05:40:57 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB9E.tmp
PRC - [2011/04/19 04:02:33 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB7C.tmp
PRC - [2011/04/19 04:02:07 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB60.tmp
PRC - [2011/04/19 04:01:41 | 000,071,680 | ---- | M] () -- C:\WINDOWS\Temp\GLB25.tmp
PRC - [2011/04/17 16:17:28 | 000,155,648 | ---- | M] (Netscape Communications) -- C:\WINDOWS\Temp\ns_temp\SETUP.EXE
PRC - [2011/02/15 18:34:50 | 000,086,016 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamTray.exe
PRC - [2009/10/12 12:34:56 | 000,388,096 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
PRC - [2007/02/18 00:30:48 | 001,414,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2007/02/17 03:55:16 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 03:43:18 | 000,010,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\oobechk.exe
PRC - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/17 02:58:36 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004/01/21 15:15:50 | 000,135,168 | ---- | M] () -- C:\Program Files\Quest Software\Big Brother BTF\BBNT\1.08d\bin\bbnt.exe


========== Modules (SafeList) ==========

MOD - [2011/05/20 16:51:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/09/07 07:08:31 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WinHttpAutoProxySvc)
SRV - [2007/02/18 00:30:26 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 04:07:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 03:55:56 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 03:41:50 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 03:20:52 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/17 03:19:28 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/17 02:50:02 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2004/01/21 15:15:50 | 000,135,168 | ---- | M] () [Auto | Running] -- C:\Program Files\Quest Software\Big Brother BTF\BBNT\1.08d\bin\bbnt.exe -- (BigBrotherClient)
SRV - [2003/03/25 07:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2003/03/25 07:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)


========== Driver Services (SafeList) ==========

DRV - [2007/02/17 04:09:26 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/17 02:49:38 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2007/02/17 02:31:14 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/17 02:17:02 | 000,039,424 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\amdk8.sys -- (AmdK8)
DRV - [2005/04/19 17:50:00 | 000,125,952 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SiSGbeXP.sys -- (SiSGbeXP)
DRV - [2003/03/24 21:15:56 | 000,070,687 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3532292640-855261191-1743557987-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-3532292640-855261191-1743557987-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKU\S-1-5-21-3532292640-855261191-1743557987-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2003/03/25 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [ClamWin] C:\Program Files\ClamWin\bin\ClamTray.exe (alch)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-3532292640-855261191-1743557987-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252428979921 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290775751113 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/08 10:49:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/20 17:11:15 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/05/20 00:18:33 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2011/05/20 00:18:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\HiJackThis
[2011/05/19 22:53:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/20 16:51:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/05/20 16:50:21 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RKUnhookerLE.EXE
[2011/05/20 11:50:19 | 000,001,590 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Computer Management (2).lnk
[2011/05/20 01:39:05 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/20 00:19:49 | 000,002,457 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2011/05/16 04:34:04 | 000,001,367 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Security Configuration Wizard.lnk
[2011/05/16 04:25:23 | 000,583,252 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/16 04:25:23 | 000,114,754 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/12 16:45:28 | 000,000,870 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Baseline Security Analyzer 2.2.lnk
[2011/05/12 16:44:52 | 001,625,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBSASetup-x86-EN.msi
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/20 17:01:37 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RKUnhookerLE.EXE
[2011/05/20 00:18:33 | 000,002,457 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2011/05/12 16:45:28 | 000,000,876 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Baseline Security Analyzer 2.2.lnk
[2011/05/12 16:45:28 | 000,000,870 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Baseline Security Analyzer 2.2.lnk
[2011/05/12 16:44:45 | 001,625,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBSASetup-x86-EN.msi
[2009/09/28 23:22:56 | 000,000,012 | ---- | C] () -- C:\WINDOWS\Smexp.dll
[2009/09/13 20:10:17 | 000,000,132 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/10 16:33:06 | 000,149,504 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.EXE
[2009/09/10 16:33:06 | 000,042,026 | ---- | C] () -- C:\WINDOWS\php.ini
[2009/09/09 10:54:48 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2009/09/09 10:54:48 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2009/09/09 10:54:48 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2009/09/08 14:23:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2009/09/08 14:23:09 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2009/09/08 14:23:09 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2009/09/08 14:23:08 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/09/08 10:52:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/08 10:47:17 | 000,021,160 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/08 05:40:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/09/08 05:40:14 | 000,093,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/08 05:36:13 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\Property.dll
[2008/05/26 22:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 22:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/02/18 00:26:18 | 000,004,725 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/03/25 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/03/25 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/03/25 07:00:00 | 000,583,252 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/03/25 07:00:00 | 000,275,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/03/25 07:00:00 | 000,216,006 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/03/25 07:00:00 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2003/03/25 07:00:00 | 000,114,754 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/03/25 07:00:00 | 000,046,907 | ---- | C] () -- C:\WINDOWS\mib.bin
[2003/03/25 07:00:00 | 000,029,710 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/03/25 07:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2003/03/25 07:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2003/03/25 07:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2003/03/25 07:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2003/03/25 07:00:00 | 000,005,644 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2003/03/25 07:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2003/03/25 07:00:00 | 000,004,459 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/03/25 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/03/25 07:00:00 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\mqtgsvc.exe.cfg

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E00596C

< End of report >
OTL Extras logfile created on: 5/20/2011 5:14:02 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.39 Gb Total Space | 37.02 Gb Free Space | 72.05% Space Free | Partition Type: NTFS
Drive E: | 97.65 Gb Total Space | 93.13 Gb Free Space | 95.37% Space Free | Partition Type: NTFS
Drive F: | 3.77 Gb Total Space | 2.74 Gb Free Space | 72.53% Space Free | Partition Type: NTFS

Computer Name: WS2003 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.vbs [@ = VBSFile] -- C:\WINDOWS\system32\cscript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
vbsfile [open] -- %WINDIR%\System32\CScript.exe //nologo "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:192.168.0.0/255.255.255.0:Disabled:@xpsp2res.dll,-22009
"80:TCP" = 80:TCP:*:Enabled:HTTP
"21:TCP" = 21:TCP:*:Disabled:FTP
"1984:TCP" = 1984:TCP:*:Disabled:Big Brother
"25:TCP" = 25:TCP:*:Disabled:Port 25
"110:TCP" = 110:TCP:*:Disabled:Port 110
"53:TCP" = 53:TCP:*:Disabled:Port 53 DNS
"9951:UDP" = 9951:UDP:*:Disabled:9951 APC UPS
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Quest Software\Big Brother BTF\BBNT\1.08d\bin\bbnt.exe" = C:\Program Files\Quest Software\Big Brother BTF\BBNT\1.08d\bin\bbnt.exe:*:Disabled:bbnt.exe -- ()
"C:\Program Files\APC\APC Back-UPS HS\CFGUtil.exe" = C:\Program Files\APC\APC Back-UPS HS\CFGUtil.exe:*:Disabled:CFGUtil
"C:\WINDOWS\system32\cys.exe" = C:\WINDOWS\system32\cys.exe:*:Disabled:Configure Your Server Wizard -- (Microsoft Corporation)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Documents and Settings\Administrator\Desktop\SmtpDiag\SmtpDiag.exe" = C:\Documents and Settings\Administrator\Desktop\SmtpDiag\SmtpDiag.exe:*:Disabled:SmtpDiag.exe
"E:\Software\vnc-P4_5_1-x86_win32_viewer.exe" = E:\Software\vnc-P4_5_1-x86_win32_viewer.exe:*:Disabled:vnc-P4_5_1-x86_win32_viewer.exe -- (RealVNC Ltd.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{13CD417D-F1F1-4AC4-945D-FDDEB884756F}" = Microsoft Baseline Security Analyzer 2.2
"{30EFFF0C-573D-46FB-8AD5-20040827261A}" = IIS 6.0 Migration Tool (x86)
"{30EFFF0C-573D-46FB-8AD5-20051225261A}" = IIS Diagnostics Toolkit January 2006 (x86)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{6AD68BB6-944D-4605-901F-44F86C652099}" = Big Brother System and Network Monitor Client 1.08d
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9B2E8AF3-0BF6-4822-BF21-32D493319042}" = Component Checker
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.97
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"WIC" = Windows Imaging Component
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/15/2011 8:34:51 PM | Computer Name = WS2003 | Source = W3SVC-WP | ID = 2216
Description = The script started from the URL '/download/winrar/wrar280.exe' with
parameters '' has not responded within the configured timeout period. The HTTP
server is terminating the script.

Error - 5/15/2011 8:36:00 PM | Computer Name = WS2003 | Source = W3SVC-WP | ID = 2216
Description = The script started from the URL '/download/winrar/wrar280.exe' with
parameters '' has not responded within the configured timeout period. The HTTP
server is terminating the script.

Error - 5/15/2011 8:36:21 PM | Computer Name = WS2003 | Source = W3SVC-WP | ID = 2216
Description = The script started from the URL '/download/winrar/wrar280.exe' with
parameters '' has not responded within the configured timeout period. The HTTP
server is terminating the script.

Error - 5/15/2011 8:36:42 PM | Computer Name = WS2003 | Source = W3SVC-WP | ID = 2216
Description = The script started from the URL '/download/winrar/wrar280.exe' with
parameters '' has not responded within the configured timeout period. The HTTP
server is terminating the script.

Error - 5/15/2011 8:37:03 PM | Computer Name = WS2003 | Source = W3SVC-WP | ID = 2216
Description = The script started from the URL '/download/winrar/wrar280.exe' with
parameters '' has not responded within the configured timeout period. The HTTP
server is terminating the script.

Error - 5/16/2011 6:29:08 AM | Computer Name = WS2003 | Source = Windows Search Service | ID = 3079
Description = Notifications for the volume f:\ are not active. Context: Windows
Application Details: The device is not ready. (0x80070015)

Error - 5/17/2011 2:39:03 AM | Computer Name = WS2003 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/18/2011 2:39:03 AM | Computer Name = WS2003 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/19/2011 2:39:03 AM | Computer Name = WS2003 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/20/2011 2:39:04 AM | Computer Name = WS2003 | Source = MPSampleSubmission | ID = 5000
Description =


< End of report >

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 PM

Posted 20 May 2011 - 07:04 PM

Hi!

I'm not really seeing any signs of malware on this computer.

This looks like a business related computer. Does your company have it's own IT Department?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 20 May 2011 - 07:11 PM

its mine, Im it. there is a Trunk_32.exe on it that seemed maybe to be the issue. It has been comprimised in some way.

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 PM

Posted 20 May 2011 - 07:15 PM

Hi!

Okay, thanks for the clarification, just wanted to make sure.

I'm going to be upfront with you, I don't have that much experience working with Servers, but I'll do my best to ensure that I give you the best possible advice possible, and if I can't provide that, I'll see if I can find a colleague who can.

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Scanning with MalwareBytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 20 May 2011 - 07:22 PM

Its a 2003 Windows Server. I run a few website at my home. I had a couple of machine get a virus and at the same time it appears that this machine was comprimised. Ive been on here for a while(few years) but not sure what the rules are for servers. I guess it is business. Am I in the right Area?

#12 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 20 May 2011 - 10:19 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6630

Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

5/20/2011 10:13:02 PM
mbam-log-2011-05-20 (22-13-02).txt

Scan type: Quick scan
Objects scanned: 158286
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 PM

Posted 21 May 2011 - 09:15 AM

Hi!

Its a 2003 Windows Server. I run a few website at my home. I had a couple of machine get a virus and at the same time it appears that this machine was comprimised. Ive been on here for a while(few years) but not sure what the rules are for servers. I guess it is business. Am I in the right Area?

Yes, this is the right forum for it.

Lets see what an online scan finds:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 21 May 2011 - 10:43 AM

i wanted to add that I have been taking this server on and offline for these. I have done most of this server offline. After our last discussion, when the box was hooked to the internet it updated ClamAV. I had a little bit though time remembering where to stop CLAMAV. (its wasnt in service) Also I had shutdown windows defender. From looking at some of the thing I had done before and we had done I suspected the Hosts file was comprimised. I did open Highjackthis and look at it but didnt make any changes. I had a pretty good DOS attack going on last week and had to get new ip's. I suspect the box would be broadcating it new location. So lies my concern for having it online. I can post that log. I hope that didnt derail us. they do show a corrupted hosts file. I have to be out for a bit, but will run the est scan when I get back.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:39:35 PM, on 5/20/2011
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Quest Software\Big Brother BTF\BBNT\1.08d\bin\bbnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O15 - ESC Trusted Zone: http://www.avg.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252428979921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290775751113
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B379DAAE-54F2-4FD8-9A5F-420149013BFD}: NameServer = 207.224.102.241
O17 - HKLM\System\CCS\Services\Tcpip\..\{F840144A-9D31-4E27-B8C3-C991D2752665}: NameServer = 207.224.102.241
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Big Brother SNM Client 1.08d (BigBrotherClient) - Unknown owner - C:\Program Files\Quest Software\Big Brother BTF\BBNT\1.08d\bin\bbnt.exe

--

#15 hitechredneck

hitechredneck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 21 May 2011 - 11:43 AM

the est download link does not work. I would like to download it on my workstation and move it over. I am running EI9, maybe the security is different.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users