Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit and others on server


  • This topic is locked This topic is locked
23 replies to this topic

#1 AllisonPJ

AllisonPJ

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 27 June 2011 - 03:02 PM

Hello,

I am hoping somewhere here is able to help me clean off whatever is infecting our server. A few weeks ago, we noticed when we came in to work in the mornings, the internet connection would be gone. Rebooting the server would solve the problem... for a while. Most days, by the next morning, it was down again. We also got a call from our ISP saying they'd gotten a report of a brute force attack coming from our IP address. We'd been dealing with viruses on one of the network computers the week before (one of those Windows Vista AntiSpyware things), but I removed it and every scan since has been clean. When the spotty internet thing started happening, I suspected something had gotten to the server, so I did some scans. I used Windows Defender, ClamWin and MalwareBytes. They all found things and removed them, then further scans came up clean. (some of what was found: Trojan-Poison-1140, Perfect keylogger, bpkwb.dll, a module.exe trojan and somewhere along the line one said it found a rootkit, but I can't find that log now to get an exact name). It ran better after that and we don't have the problem as often, though it still happens now and then, particularly on Saturdays for some reason. Today when I scanned again with MalwareBytes, it found more. The quick scan found a registry key for Trojan.WerTrans and the full scan later found 3 infected files: tss.exe, vnc.exe and vnc_scanner_gui.exe. It quarantined and removed them, but something tells me they'll be back.

Even though it seems to be working better, I'm still concerned, obviously. We're a small country club with no IT department (being the most computer-literate person in the building, I've become the de facto IT department). We have an outside contractor we call in for more complex things like networking, but when I called him and explained the problem, he told me all I could do was reformat or get a new server. I understand that's the best thing to do, but it's not practical for us right now. We don't have the finances to buy a new server at the moment (we're barely hanging on these days, so it's impossible to get approval to spend money on anything) and reformatting is going to cause a lot of problems with getting all our networking back up and running properly, so I'd like to leave that as a last resort. Since I've seen you guys help other people remove rootkits, I was hoping there might be a way to clean it without getting too drastic!

I've followed the preparations you listed, though I had to skip the DDS step: Windows Server 2003 isn't supported, apparently. Also, I didn't enable Windows Firewall because I'm afraid doing so will block computers that need to have access. Not only do all the computers in the building access the server, but our security cameras need access and our website needs access for customers to make tee times and for our members to log in and view their accoutns. I don't want to risk messing up the business by enabling something that could block that, although it does concern me that we have no apparent firewall in effect. I'm assuming that our IT guy left it off for a reason when he set up our server and network, but I know what happens when you assume, so I'll definitely look into it when this is all done.

I'm attaching the GMER log as directed. Thanks in advance for your help!

Allison

Attached Files

  • Attached File  ark.txt   7.76KB   3 downloads

Edited by AllisonPJ, 27 June 2011 - 03:17 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:49 PM

Posted 10 July 2011 - 02:58 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 10 July 2011 - 11:07 AM

Hi Elise,

Thank you for getting back to me. Unfortunately, as I mentioned in my original post, I am unable to do a DDS scan, as the program says it cannot run on Windows Server 2003. That is why I only included the log for the GMER scan. If there is another program I can use to scan, let me know and I will do it.

Since I posted, our server hasn't been quite as bad as it was. We aren't having to reboot it daily to get our Internet connection back, but knowing that rootkit is there is still making me nervous. I think running the various malware scans and removing everything has helped somewhat, but I do still run periodic Malwarebytes and Windows Defender scans to remove the trojans that keep coming back.

If you would like me to do another GMER scan, since it's been a few weeks since my original post, I can do that when I'm back at work tomorrow. Just let me know!

Thanks,
Allison

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:49 PM

Posted 10 July 2011 - 11:11 AM

Yes, we have tools that will run on a server, however, malware on a network is quite different from malware on a single computer. Malware can jump from terminal to terminal; you will need to isolate all computers on the network, clean them, and only afterwards reconnect everything. One infected USB drive or shared drive, may reinfect everything.

Lets check for rootkits first.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 July 2011 - 12:53 PM

I ran the program as instructed. It says it didn't find anything. Here is the scan report:

2011/07/11 13:46:32.0281 4348 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21
2011/07/11 13:46:32.0812 4348 ================================================================================
2011/07/11 13:46:32.0812 4348 SystemInfo:
2011/07/11 13:46:32.0812 4348
2011/07/11 13:46:32.0812 4348 OS Version: 5.2.3790 ServicePack: 2.0
2011/07/11 13:46:32.0812 4348 Product type: Domain controller
2011/07/11 13:46:32.0812 4348 ComputerName: NT-SERVER
2011/07/11 13:46:32.0812 4348 UserName: Administrator
2011/07/11 13:46:32.0812 4348 Windows directory: C:\WINDOWS
2011/07/11 13:46:32.0812 4348 System windows directory: C:\WINDOWS
2011/07/11 13:46:32.0812 4348 Processor architecture: Intel x86
2011/07/11 13:46:32.0812 4348 Number of processors: 2
2011/07/11 13:46:32.0812 4348 Page size: 0x1000
2011/07/11 13:46:32.0812 4348 Boot type: Normal boot
2011/07/11 13:46:32.0812 4348 ================================================================================
2011/07/11 13:46:34.0968 4348 Initialize success
2011/07/11 13:47:39.0375 4236 ================================================================================
2011/07/11 13:47:39.0375 4236 Scan started
2011/07/11 13:47:39.0375 4236 Mode: Manual;
2011/07/11 13:47:39.0375 4236 ================================================================================
2011/07/11 13:47:41.0984 4236 aac (51c720768d680697d74341b3d84dadc6) C:\WINDOWS\system32\DRIVERS\aac.sys
2011/07/11 13:47:42.0375 4236 aar81xx (0d58741a53b2ce066ec54d5de8ed46df) C:\WINDOWS\system32\DRIVERS\aar81xx.sys
2011/07/11 13:47:42.0781 4236 aarich (6c49ce86c6314ecad93aab9565d31c73) C:\WINDOWS\system32\DRIVERS\aarich.sys
2011/07/11 13:47:43.0265 4236 ACPI (a0a850bac6f8a88ad0fc964c6bea170d) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/11 13:47:43.0734 4236 ACPIEC (043c89cc533ff546d835cb998b95b198) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/11 13:47:44.0171 4236 adpahci (83e725f4a5609c59fc782c29d00c191a) C:\WINDOWS\system32\DRIVERS\adpahci.sys
2011/07/11 13:47:45.0921 4236 AFD (336d51e35c5737809449128f421431a1) C:\WINDOWS\System32\drivers\afd.sys
2011/07/11 13:47:46.0343 4236 agp440 (b9985042687a43685fc64b282b627653) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/11 13:47:49.0031 4236 AsyncMac (a35b971f631d4dfdeb68d71e770d2ce9) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/11 13:47:49.0484 4236 atapi (ff953a8f08ca3f822127654375786bbe) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/11 13:47:50.0281 4236 Atmarpc (d12dad5032285343ce3aa4906f661181) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/11 13:47:51.0015 4236 audstub (5bfd980c2107d88101d1dc14055526fc) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/11 13:47:51.0531 4236 bchtsw32 (d332f411ec1bf8e7e9ea44f01783f5e2) C:\WINDOWS\system32\DRIVERS\bchtsw32.sys
2011/07/11 13:47:51.0921 4236 Beep (99572503e15a3d10239b7b9887cbaf89) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/11 13:47:52.0390 4236 cbidf2k (1342877de604a5a6bff986e288e3a8a7) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/11 13:47:53.0234 4236 Cdfs (e6d72780c957b69c48bfc66bc3ecdad4) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/11 13:47:53.0671 4236 Cdrom (825aa877a852ecc731fa0c39c8c37744) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/11 13:47:54.0609 4236 ClusDisk (54308cdf97622fae1620bb1ec39ef014) C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
2011/07/11 13:47:55.0515 4236 Cpqarray (126d049a6e6b6cb8df1c69d3e2a8c0c4) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/07/11 13:47:55.0937 4236 cpqarry2 (d31cb94a4acad58abb6cf74b7ef1ce1f) C:\WINDOWS\system32\DRIVERS\cpqarry2.sys
2011/07/11 13:47:56.0375 4236 cpqcissm (0c5dcc2df112b7352b9427d943cf56bc) C:\WINDOWS\system32\DRIVERS\cpqcissm.sys
2011/07/11 13:47:56.0812 4236 cpqfcalm (fed86c9f250fc641b37c933e4c214a8a) C:\WINDOWS\system32\DRIVERS\cpqfcalm.sys
2011/07/11 13:47:57.0218 4236 crcdisk (0ee27d9dbb208c13314f3c60f66aed26) C:\WINDOWS\system32\DRIVERS\crcdisk.sys
2011/07/11 13:47:59.0046 4236 DfsDriver (444726b01c31d29c70e60f7c35de43e5) C:\WINDOWS\system32\drivers\Dfs.sys
2011/07/11 13:47:59.0546 4236 Disk (98433302c02f1168efb7364f8111a179) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/11 13:48:00.0000 4236 dmboot (89fa376d83042f6f1aed505106a5719d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/11 13:48:00.0390 4236 dmio (15081421ee62dc1c95abb387d9081571) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/11 13:48:00.0828 4236 dmload (3d9bfa13b6f1cd2d91c50c52b32e91a2) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/11 13:48:02.0359 4236 Esdpdx01 (b33fa05b6fdfd75115ef3e9d72cf0027) C:\WINDOWS\system32\Drivers\ESDPDX01.SYS
2011/07/11 13:48:02.0578 4236 EXIFS (bcaeb10ce8d82f98924f8a4a000e6554) C:\WINDOWS\system32\drivers\exifs.sys
2011/07/11 13:48:03.0046 4236 express2 (95a5dc1d0bf6e63d2d5c47d33418f771) C:\WINDOWS\system32\DRIVERS\express2.sys
2011/07/11 13:48:03.0500 4236 Fastfat (e792a18abdc32286212dce8e75baa124) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/11 13:48:03.0953 4236 Fdc (5090cd3f6ab1d71ad507953cff556ea9) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/11 13:48:04.0421 4236 Fips (b485ac2edc466c538bdff32bc3f2e506) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/11 13:48:04.0906 4236 Flpydisk (c621a51f415419a3145a5939abde39fa) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/11 13:48:05.0312 4236 FltMgr (f978277ef786532195cdd9f88e908632) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/07/11 13:48:05.0750 4236 Fs_Rec (aebff3d810b74971b91b2b77b289a98b) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/11 13:48:06.0156 4236 Ftdisk (4c533b70afa917416aec57fcbeecb57d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/11 13:48:06.0578 4236 G200e (b41a3b610d48b8d200f46523a736ce63) C:\WINDOWS\system32\DRIVERS\G200em.sys
2011/07/11 13:48:07.0000 4236 Gpc (30b1653a955f548352024a5fee203cc3) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/11 13:48:07.0718 4236 HidUsb (90a325e14f9b95f17712707b1a7181b5) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/11 13:48:08.0593 4236 HpCISSs2 (9ccb1b1e2b08e561d966c8b4bab200de) C:\WINDOWS\system32\DRIVERS\HpCISSs2.sys
2011/07/11 13:48:09.0671 4236 HTTP (7a5d176c4b43f0a47da4051c96c56439) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/11 13:48:10.0906 4236 i8042prt (68e8ff9eeaf8b37a66cac2c57835ffbd) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/11 13:48:11.0296 4236 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/07/11 13:48:12.0265 4236 imapi (44c132b35921b54b4a9ac64369d86d83) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/11 13:48:12.0859 4236 IntelIde (1690a4be249ba6195ba7258943cada58) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/11 13:48:13.0234 4236 intelppm (7d7575b971b3a0fe26fac6f5d58f5180) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/11 13:48:13.0703 4236 Ip6Fw (d7e7e7898a05c53dd862b49828747c1e) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/07/11 13:48:14.0109 4236 IpFilterDriver (5a41f207b7c39ee4918f7496a4f19b14) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/11 13:48:14.0921 4236 IpNat (890e7a14a63aec2ea9257a79a88be784) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/11 13:48:15.0328 4236 IPSec (1a9aeac49683b32df55b7fb1516f3028) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/11 13:48:16.0109 4236 ip_fw (25fec959f1a85250705096aa28ffc6e3) C:\WINDOWS\system32\DRIVERS\ip_fw.sys
2011/07/11 13:48:16.0515 4236 IRENUM (11407ee682a2d5b0248de8af0f1a6996) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/11 13:48:16.0828 4236 isapnp (b71ba04a3b5d4404225ccdbf1969078f) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/11 13:48:17.0218 4236 Kbdclass (e5097a07e14f36abc21fa18d88f93655) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/11 13:48:17.0687 4236 kbdhid (665f2ae9286dbb05b045ccc02f7bc2f8) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/11 13:48:18.0187 4236 KSecDD (9a99005e1a41ab360de231fb8e2f6184) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/11 13:48:19.0281 4236 LSI_SAS (81eb3e50fe3b30a8085f8c82009af776) C:\WINDOWS\system32\DRIVERS\lsi_sas.sys
2011/07/11 13:48:19.0718 4236 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/11 13:48:20.0171 4236 mnmdd (c35bb38904d843c0465858195b30dab7) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/11 13:48:20.0718 4236 Modem (81ec1c6d3798b36a92a6d7a355ba2c62) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/11 13:48:21.0093 4236 Mouclass (aa50da5ab638ce0bab5f7d5d633110c2) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/11 13:48:21.0468 4236 mouhid (6824b20127716121b53a2ec2bd6739b7) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/11 13:48:21.0843 4236 MountMgr (fc43a7a34309c750b9daeadf2f6ec9b9) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/11 13:48:22.0312 4236 MRxDAV (ab6db63a1791f8e86b085291686464fd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/11 13:48:22.0765 4236 MRxSmb (31fbfd5e41c8bc896651c7b38578d35c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/11 13:48:23.0750 4236 Msfs (8f50b87361585763841c6b603d23260c) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/11 13:48:24.0406 4236 mssmbios (92afab2f216ce8ffbad3bc510fcf4a33) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/11 13:48:24.0921 4236 Mup (834560abee4eae62620f4026263aa051) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/11 13:48:25.0359 4236 NDIS (33739ab31d36184772af1ee132d5c2e2) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/11 13:48:25.0750 4236 NdisTapi (bbab8ce7a8d2b1302da0b03825d9cae4) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/11 13:48:26.0187 4236 Ndisuio (8b8e682b03483092e17ab9dfe70fedff) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/11 13:48:26.0609 4236 NdisWan (1b397eef4614419be5679e0209f7848b) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/11 13:48:27.0031 4236 NDProxy (5298ed90bbe5c5eeedc363eed2888a25) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/11 13:48:27.0484 4236 NetBIOS (a0d5d6ae530ca78a062fc0471f1e6f78) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/11 13:48:27.0812 4236 NetBT (5cd7cca08498ec8753b22e92d367ca11) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/11 13:48:28.0875 4236 NPF (ce48bb59fdb4e38de3712a05fee29e25) C:\WINDOWS\system32\drivers\npf.sys
2011/07/11 13:48:29.0281 4236 Npfs (d5bb605f6dcbdfe0129670c8de57913e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/11 13:48:29.0765 4236 Ntfs (482ea51aadb8763a0f67588c394ec693) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/11 13:48:30.0265 4236 Null (5db0ede7aaf3a7bc9110d18c12524be0) C:\WINDOWS\system32\drivers\Null.sys
2011/07/11 13:48:30.0671 4236 nvatabus (46eb0bf62304af88844a7a921c4f3284) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2011/07/11 13:48:31.0171 4236 nvraid (528c8c1e1f575bf0ed2ff54b0bd19286) C:\WINDOWS\system32\DRIVERS\nvraid.sys
2011/07/11 13:48:31.0609 4236 NwlnkIpx (e6146b331e349383b3f5722c9448ec4f) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/07/11 13:48:32.0015 4236 NwlnkNb (2b38fe6f5b11e4841fed5eaba342187b) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/07/11 13:48:32.0390 4236 NwlnkSpx (bec39eabaa826257d4d95a8271760efb) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/07/11 13:48:32.0859 4236 Parport (ee3333b36deb86a0d472f037172da10a) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/11 13:48:33.0265 4236 PartMgr (4eb6f7418959444a06d3c51eb81bff04) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/11 13:48:33.0765 4236 Parvdm (a9d29f3d7ae71b7ea721b53a0c436c66) C:\WINDOWS\system32\DRIVERS\parvdm.sys
2011/07/11 13:48:34.0171 4236 PCI (8217000e5c53ce823b3111f339e47c41) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/11 13:48:34.0593 4236 PCIIde (7e3fb50aa22d4ed883c6abdd40e9c60b) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/11 13:48:35.0000 4236 Pcmcia (fc9f4c9c73e9698357c836be4628a299) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/11 13:48:35.0375 4236 PCnet (80655c894b333909eea0de92a837f8dd) C:\WINDOWS\system32\DRIVERS\pcntpci5.sys
2011/07/11 13:48:37.0921 4236 PptpMiniport (4454f2639bcca93be86a45137e427277) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/11 13:48:38.0390 4236 Ptilink (0320fd91fb5ed4298355977cecfc0eb4) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/11 13:48:38.0828 4236 q57w2k (d24081941eebf371c43f03ae74b36267) C:\WINDOWS\system32\DRIVERS\q57xp32.sys
2011/07/11 13:48:39.0250 4236 qic157 (5edc779ca42afe3dd5145a818dbb1fd9) C:\WINDOWS\system32\DRIVERS\qic157.sys
2011/07/11 13:48:42.0875 4236 RasAcd (48ee7b6802c0306f9a66f34db7e9ef75) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/11 13:48:43.0281 4236 Rasl2tp (3633175613e052ecb41776dee2777a89) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/11 13:48:43.0812 4236 RasPppoe (59842f0a22216a71cade6f89fe84c973) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/11 13:48:44.0218 4236 Raspti (5b11871de804d3ed28bbdcc65fe14ede) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/11 13:48:44.0656 4236 Rdbss (4496b15c44ccb703fbc54f2cf5b67f15) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/11 13:48:45.0062 4236 RDPCDD (ac5bb528ecd2bea4ff4bff9df9baf749) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/11 13:48:45.0609 4236 rdpdr (ff678596b761e1ccba79f49981ef51bc) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/11 13:48:46.0031 4236 RDPWD (477d7af3c3583eb85e23375225650b1c) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/11 13:48:46.0546 4236 redbook (c6f8751f3263603935866e71629cfae4) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/11 13:48:47.0171 4236 sacdrv (34d79729d6e4d1289e08322405045085) C:\WINDOWS\system32\drivers\sacdrv.sys
2011/07/11 13:48:47.0281 4236 Suspicious service (NoAccess): SBCore
2011/07/11 13:48:47.0875 4236 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/11 13:48:48.0421 4236 serenum (b261d4597bf9a2723b7020207260c72a) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/11 13:48:48.0875 4236 Serial (95768fde08dd34089aa90dccb5537704) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/11 13:48:49.0375 4236 Sfloppy (831826dc54fa225f0b654ef2f1e13af9) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/11 13:48:50.0484 4236 Srv (e8b1a07774a9e4fec3105cbad49bf289) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/11 13:48:51.0203 4236 swenum (93965919785102ba847545ab460ce2df) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/11 13:48:51.0593 4236 symc810 (3d05bfdaef2d2d7eed998ba126fb3466) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/07/11 13:48:51.0984 4236 symc8xx (57f992062e8ff2d37572ec5823f956e7) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/07/11 13:48:52.0453 4236 symmpi (868204832e011e2d64281d7eabee572e) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2011/07/11 13:48:52.0906 4236 sym_hi (1fbddf0dc4583922c904195823ebd795) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/07/11 13:48:53.0578 4236 Tcpip (238dc2b879d1b37b91f8d5d44f3815d3) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/11 13:48:53.0953 4236 TDPIPE (45d49fb800463de84d1cc2e231319ad5) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/11 13:48:54.0390 4236 TDTCP (d7c31008de209b8b11ced207580e9c91) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/11 13:48:54.0781 4236 TermDD (a01e46fff445a38d35db188c5458582c) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/11 13:48:55.0578 4236 Udfs (c26024265a7523312a5d06fc33aa57aa) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/11 13:48:56.0390 4236 Update (b0e133858e63940755b496761834f334) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/11 13:48:56.0812 4236 usbccgp (185959a7fccfd38aa71a274ae6252b88) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/11 13:48:57.0218 4236 usbehci (9dd4aba9462938734bcbf51d8669c884) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/11 13:48:57.0703 4236 usbhub (17859937740bc0d422fe71a588d6ddf7) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/11 13:48:58.0187 4236 USBSTOR (d0740ff9f7e819486e88096826b4dc37) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/11 13:48:58.0359 4236 usbuhci (cbd3053337bb475f442a892edf671312) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/11 13:48:58.0718 4236 vga (2eb062b434792bb6bb614f107dd3a5cf) C:\WINDOWS\system32\DRIVERS\vgapnp.sys
2011/07/11 13:48:58.0812 4236 VgaSave (062fbc10147fd837d819f94aa394e661) C:\WINDOWS\System32\drivers\vga.sys
2011/07/11 13:48:58.0968 4236 VolSnap (45ae67c387a640ec6e228f30d421f088) C:\WINDOWS\system32\DRIVERS\volsnap.sys
2011/07/11 13:48:59.0140 4236 Wanarp (ce030b1d05a01fa012d32f2d25676b1c) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/11 13:48:59.0890 4236 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/11 13:49:00.0109 4236 Boot (0x1200) (a4a539dcfa76c1b00e207d8135b51936) \Device\Harddisk0\DR0\Partition0
2011/07/11 13:49:00.0171 4236 ================================================================================
2011/07/11 13:49:00.0171 4236 Scan finished
2011/07/11 13:49:00.0171 4236 ================================================================================
2011/07/11 13:49:00.0250 6052 Detected object count: 0
2011/07/11 13:49:00.0250 6052 Actual detected object count: 0

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:49 PM

Posted 11 July 2011 - 01:07 PM

Hi again,

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 July 2011 - 01:19 PM

Done! Here's the OTL.txt:

OTL logfile created on: 7/11/2011 2:14:35 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.05 Mb Total Physical Memory | 223.27 Mb Available Physical Memory | 21.85% Memory free
2.41 Gb Paging File | 1.53 Gb Available in Paging File | 63.75% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.93 Gb Total Space | 31.81 Gb Free Space | 31.83% Space Free | Partition Type: NTFS

Computer Name: NT-SERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/11 14:14:17 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/06/16 09:17:12 | 000,086,016 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamTray.exe
PRC - [2011/04/26 22:28:00 | 000,112,640 | ---- | M] () -- c:\WINDOWS\fileapp.exe
PRC - [2011/03/29 09:21:02 | 000,157,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2010/09/24 13:23:31 | 000,073,728 | ---- | M] () -- C:\WINDOWS\system32\v3d.exe
PRC - [2009/07/27 11:20:46 | 000,015,872 | ---- | M] () -- c:\GJCWIN\WSTools\srvany.exe
PRC - [2009/07/17 15:37:46 | 000,038,376 | ---- | M] (Pro Softnet Corporation) -- C:\IBackup for Windows\IBackground_955.exe
PRC - [2009/07/17 15:35:08 | 001,865,192 | ---- | M] (Pro Softnet Corporation) -- C:\IBackup for Windows\IBMonitor.exe
PRC - [2009/07/17 15:34:26 | 000,128,488 | ---- | M] (Pro Softnet Corporation) -- C:\IBackup for Windows\IBWin Service_955.exe
PRC - [2009/04/20 13:26:38 | 000,176,128 | ---- | M] (GolfSwitch) -- C:\GolfSwitch\tGolfSvr.exe
PRC - [2009/03/25 19:20:00 | 000,054,760 | ---- | M] ( Pro-Softnet) -- C:\IBackup for Windows\IBackupWebM.exe
PRC - [2009/02/16 07:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2008/12/16 15:10:18 | 002,855,424 | ---- | M] (Sage Software Canada Ltd.) -- C:\GJCWIN\WebServices\sbbwin.exe
PRC - [2007/04/23 12:53:45 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/23 12:53:45 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/04/23 12:53:45 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/04/23 12:53:45 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe
PRC - [2007/04/23 12:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2007/04/23 12:53:45 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe
PRC - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/04/23 12:53:45 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/05/17 14:38:48 | 000,077,824 | ---- | M] (SEIKO EPSON Corp.) -- C:\WINDOWS\system32\EpStsSrv.exe
PRC - [2005/11/16 07:00:56 | 000,028,160 | ---- | M] () -- C:\WINDOWS\system32\wipfw\bin\ipfw.exe
PRC - [2005/05/26 20:11:32 | 000,188,416 | ---- | M] (SEIKO EPSON Corp.) -- C:\WINDOWS\system32\ESDUSBMon.exe
PRC - [2004/04/14 19:13:16 | 005,128,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\store.exe
PRC - [2004/04/13 17:24:24 | 000,061,440 | ---- | M] (GolfSwitch) -- C:\GolfSwitch\txnService.exe
PRC - [2004/04/02 05:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\mad.exe
PRC - [2004/04/02 05:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (SafeList) ==========

MOD - [2011/07/11 14:14:17 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/09/07 08:08:31 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WinHttpAutoProxySvc)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (FirewallProxy1)
SRV - File not found [Auto | Stopped] -- -- (Firewall Proxy)
SRV - [2011/03/29 09:21:02 | 000,157,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS) Windows Internet Name Service (WINS)
SRV - [2010/09/24 13:23:31 | 000,073,728 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\v3d.exe -- (dec2010svc)
SRV - [2009/07/27 11:20:46 | 000,015,872 | ---- | M] () [Auto | Running] -- c:\GJCWIN\WSTools\srvany.exe -- (JonasWS)
SRV - [2009/07/17 15:34:26 | 000,128,488 | ---- | M] (Pro Softnet Corporation) [Auto | Running] -- C:\IBackup for Windows\IBWin Service_955.exe -- (IBWin Service)
SRV - [2009/03/25 19:20:00 | 000,054,760 | ---- | M] ( Pro-Softnet) [Auto | Running] -- C:\IBackup for Windows\IBackupWebM.exe -- (IBackupWeb)
SRV - [2009/02/16 07:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2007/04/23 12:53:45 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/04/23 12:53:45 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/04/23 12:53:45 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/04/23 12:53:45 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/04/23 12:53:45 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/04/23 12:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)
SRV - [2007/04/23 12:53:45 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/04/23 12:53:45 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2007/04/23 12:53:45 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/04/23 12:53:45 | 000,037,888 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)
SRV - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)
SRV - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)
SRV - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc) Network News Transfer Protocol (NNTP)
SRV - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)
SRV - [2007/04/23 12:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/04/23 12:53:45 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/05/17 14:38:48 | 000,077,824 | ---- | M] (SEIKO EPSON Corp.) [Auto | Running] -- C:\WINDOWS\System32\EpStsSrv.exe -- (EPSON ESCPOS Status Service)
SRV - [2005/11/16 07:00:56 | 000,028,160 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\wipfw\bin\ipfw.exe -- (ipfw)
SRV - [2005/04/29 21:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)
SRV - [2004/04/14 19:13:16 | 005,128,704 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\store.exe -- (MSExchangeIS)
SRV - [2004/04/13 17:24:24 | 000,061,440 | ---- | M] (GolfSwitch) [Auto | Running] -- C:\GolfSwitch\txnService.exe -- (Txn Processor)
SRV - [2004/04/02 05:25:59 | 008,902,144 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\mad.exe -- (MSExchangeSA)
SRV - [2004/04/02 05:25:54 | 003,195,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2004/04/02 04:57:10 | 003,591,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Exchsrvr\bin\emsmta.exe -- (MSExchangeMTA)
SRV - [2004/04/02 04:54:34 | 000,339,456 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Exchsrvr\bin\srsmain.exe -- (MSExchangeSRS)
SRV - [2003/06/03 04:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Exchsrvr\bin\events.exe -- (MSExchangeES)


========== Driver Services (SafeList) ==========

DRV - [2007/07/31 06:33:18 | 000,161,792 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\q57xp32.sys -- (q57w2k)
DRV - [2007/06/21 13:03:52 | 000,065,072 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\HpCISSs2.sys -- (HpCISSs2)
DRV - [2007/04/23 12:53:45 | 000,090,624 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/04/23 12:53:45 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ClusDisk.sys -- (ClusDisk)
DRV - [2007/04/23 12:53:45 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2007/04/23 12:53:45 | 000,058,368 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2007/04/23 12:53:45 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2007/04/13 17:13:06 | 000,201,600 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\G200em.sys -- (G200e)
DRV - [2007/02/26 17:54:02 | 000,071,680 | ---- | M] (Broadcom Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\bchtsw32.sys -- (bchtsw32)
DRV - [2007/02/17 05:04:30 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symmpi.sys -- (symmpi)
DRV - [2007/02/17 03:55:02 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\qic157.sys -- (qic157)
DRV - [2007/02/17 03:34:58 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cpqcissm.sys -- (cpqcissm)
DRV - [2006/07/21 03:28:38 | 000,060,928 | ---- | M] (ATTO Technology, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\express2.sys -- (express2)
DRV - [2006/07/10 11:39:22 | 000,105,088 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/05/09 08:25:52 | 000,216,064 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\aarich.sys -- (aarich)
DRV - [2005/10/21 08:47:12 | 000,030,464 | ---- | M] (WIPFW Project.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ip_fw.sys -- (ip_fw)
DRV - [2005/03/14 04:23:16 | 000,051,896 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\aac.sys -- (aac)
DRV - [2004/07/21 15:53:32 | 000,262,988 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\aar81xx.sys -- (aar81xx)
DRV - [2004/04/02 04:08:21 | 000,195,968 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)
DRV - [2003/12/25 12:00:54 | 000,095,485 | ---- | M] (MK Systems CO., LTD.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS -- (Esdpdx01)
DRV - [2003/03/25 00:13:06 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cpqfcalm.sys -- (cpqfcalm)
DRV - [2003/03/25 00:13:04 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cpqarry2.sys -- (cpqarry2)
DRV - [2003/03/25 00:05:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cpqarray.sys -- (Cpqarray)
DRV - [2002/03/20 11:10:08 | 000,014,448 | ---- | M] (Politecnico di Torino) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2391411705-4124517181-1036612294-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
IE - HKU\S-1-5-21-2391411705-4124517181-1036612294-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2007/04/23 12:53:45 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [ClamWin] C:\Program Files\ClamWin\bin\ClamTray.exe (alch)
O4 - HKLM..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.)
O4 - HKLM..\Run: [FileAPP] c:\WINDOWS\fileapp.exe ()
O4 - HKLM..\Run: [IBWIN] File not found
O4 - HKLM..\Run: [IBWin Background process] C:\IBackup for Windows\IBackground_955.exe (Pro Softnet Corporation)
O4 - HKLM..\Run: [IBWin Monitor] C:\IBackup for Windows\IBMonitor.exe (Pro Softnet Corporation)
O4 - HKLM..\Run: [kerne32.exe] File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\admin\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\pos\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\xerox\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2391411705-4124517181-1036612294-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://gjonassupport.webex.com/client/T26L/support/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silverthorn.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\HP_Ice_800x600.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\HP_Ice_800x600.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/19 19:13:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/11 14:14:14 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/07/05 09:47:05 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/05 09:47:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/05 09:47:01 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/05 09:45:52 | 009,435,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2011/06/27 14:04:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2011/06/27 14:04:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\WinRAR
[2011/06/23 03:18:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2011/06/23 03:18:02 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2011/06/23 03:17:17 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/06/23 03:14:41 | 000,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2011/06/23 03:14:41 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2011/06/23 03:14:40 | 000,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2011/06/23 03:14:39 | 000,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2011/06/23 03:14:32 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2011/06/23 03:14:32 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2011/06/23 03:14:30 | 000,000,000 | ---D | C] -- C:\36173923619af73120d5e50fe64ebc
[2011/06/23 03:01:57 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2011/06/22 09:30:43 | 008,087,269 | ---- | C] (alch ) -- C:\Documents and Settings\Administrator\Desktop\clamwin-update-0.97.1.exe
[2011/06/21 13:30:51 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2011/06/21 13:25:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\RegisteredPackages
[2011/06/20 15:12:31 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/06/20 15:11:39 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/06/20 14:51:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/06/20 14:50:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/06/20 14:50:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/20 14:29:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2011/06/15 04:08:20 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2011/06/15 04:08:19 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2011/06/15 04:08:07 | 001,211,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2011/06/15 04:08:07 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2011/06/15 04:08:04 | 005,964,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/06/12 16:38:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2011/06/12 16:38:08 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/11 14:14:17 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/07/11 13:47:32 | 000,002,586 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2011/07/11 13:45:55 | 001,327,397 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/07/11 12:00:04 | 000,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{bb23182b-eb01-11dc-b68a-806e6f6e6963}.job
[2011/07/11 06:07:33 | 000,003,146 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/07/10 16:00:04 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/07/05 12:11:25 | 000,967,064 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/05 12:11:22 | 000,263,638 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/05 12:06:29 | 000,000,202 | ---- | M] () -- C:\WINDOWS\System32\PSLOG
[2011/07/05 12:05:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/05 09:46:07 | 009,435,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2011/06/27 14:03:52 | 000,293,977 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2011/06/27 14:01:22 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/06/25 13:41:21 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/23 11:35:17 | 000,000,283 | ---- | M] () -- C:\WINDOWS\JONAS.INI
[2011/06/23 03:57:46 | 000,093,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/23 03:03:03 | 000,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/22 09:31:22 | 008,087,269 | ---- | M] (alch ) -- C:\Documents and Settings\Administrator\Desktop\clamwin-update-0.97.1.exe
[2011/06/20 14:49:09 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2011/06/15 09:35:06 | 000,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/11 13:45:46 | 001,327,397 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/06/27 14:03:46 | 000,293,977 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2011/06/27 14:01:22 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/06/20 15:14:48 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/06/20 15:11:40 | 000,001,000 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Defender.lnk
[2011/06/20 14:49:07 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2011/06/15 09:35:06 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/04/23 16:30:19 | 000,112,640 | ---- | C] () -- C:\WINDOWS\fileapp.exe
[2011/04/17 16:33:25 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\ipfw.exe
[2011/04/17 13:59:38 | 000,418,654 | ---- | C] () -- C:\WINDOWS\System32\far1.exe
[2010/09/24 13:22:01 | 000,725,123 | ---- | C] () -- C:\WINDOWS\System32\bgpw.sys
[2010/09/24 13:22:01 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\v3d.exe
[2010/09/24 13:22:01 | 000,003,069 | ---- | C] () -- C:\WINDOWS\System32\dctd.sys
[2010/05/02 11:50:14 | 000,000,977 | ---- | C] () -- C:\WINDOWS\System32\dct.sys
[2010/05/02 11:50:05 | 000,197,743 | ---- | C] () -- C:\WINDOWS\System32\testbin.exe
[2009/07/27 11:16:32 | 000,000,365 | ---- | C] () -- C:\WINDOWS\JONASWS.INI
[2009/07/20 12:58:16 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IBSSubTmr.dll
[2009/07/20 12:58:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\IBPatch.dll
[2008/09/17 17:13:11 | 000,000,101 | ---- | C] () -- C:\WINDOWS\Psxlpr.ini
[2008/09/17 17:13:10 | 005,926,912 | ---- | C] () -- C:\WINDOWS\System32\Bot.dll
[2008/09/15 16:17:00 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\EpsStmEW.DLL
[2008/09/15 16:17:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SharpImg.dll
[2008/05/20 10:25:36 | 000,086,064 | ---- | C] () -- C:\WINDOWS\System32\JMD5.DLL
[2008/04/10 12:06:35 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2008/03/20 09:21:51 | 000,000,283 | ---- | C] () -- C:\WINDOWS\JONAS.INI
[2007/10/22 12:44:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/10/22 11:09:28 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2007/10/22 10:50:37 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/10/22 10:45:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2007/10/22 10:44:48 | 000,017,579 | ---- | C] () -- C:\WINDOWS\System32\nntpctrs.ini
[2007/10/22 10:40:28 | 000,011,597 | ---- | C] () -- C:\WINDOWS\System32\dnsperf.ini
[2007/10/22 10:38:33 | 000,002,360 | ---- | C] () -- C:\WINDOWS\System32\dhcpctrs.ini
[2007/10/19 20:54:26 | 000,000,316 | ---- | C] () -- C:\WINDOWS\System32\OEMInfo.ini
[2007/10/19 20:53:28 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2007/10/19 20:53:28 | 000,004,725 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2007/10/19 20:53:22 | 000,967,064 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2007/10/19 20:53:22 | 000,275,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2007/10/19 20:53:22 | 000,263,638 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2007/10/19 20:53:22 | 000,029,710 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2007/10/19 20:53:21 | 000,007,563 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2007/10/19 20:53:19 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2007/10/19 20:53:18 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2007/10/19 20:53:18 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2007/10/19 20:53:17 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2007/10/19 20:53:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/10/19 20:53:07 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2007/10/19 20:53:07 | 000,046,907 | ---- | C] () -- C:\WINDOWS\mib.bin
[2007/10/19 20:53:04 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2007/10/19 20:53:02 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2007/10/19 20:52:57 | 000,216,006 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2007/10/19 20:52:48 | 000,005,644 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/10/19 20:52:45 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\mqtgsvc.exe.cfg
[2007/10/19 19:19:01 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/10/19 19:09:14 | 000,021,160 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/10/19 19:08:25 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/10/19 19:08:25 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/10/19 19:08:17 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/10/19 19:08:17 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/10/19 19:08:16 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/10/19 14:05:22 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/10/19 14:04:28 | 000,093,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Alternate Data Streams ==========

@Alternate Data Stream - 4824 bytes -> C:\phone book cover 3.jpg:Q30lsldxJoudresxAaaqpcawXc

< End of report >



And the Extras.txt:

OTL Extras logfile created on: 7/11/2011 2:14:35 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.05 Mb Total Physical Memory | 223.27 Mb Available Physical Memory | 21.85% Memory free
2.41 Gb Paging File | 1.53 Gb Available in Paging File | 63.75% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.93 Gb Total Space | 31.81 Gb Free Space | 31.83% Space Free | Partition Type: NTFS

Computer Name: NT-SERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{05DEE64C-B63B-495A-B36C-4277663FAAA0}" = Windows Small Business Server ActiveSync
"{108BE742-0564-4734-AE54-74F81263FB04}" = Windows Small Business Server Licensing
"{3CF8BDBC-DA0F-45FA-A4B9-3A31CCE774E9}" = Windows Small Business Server Backup
"{53BE2241-531B-49FB-B03D-06C377179548}" = Windows Small Business Server IE Client App
"{5546F70C-0437-44EE-A923-7C23E6EFF689}" = Windows Small Business Server Monitoring
"{65657C59-23A8-4974-B8E0-BA04EBD04E4F}" = Microsoft SQL Server Desktop Engine (SHAREPOINT)
"{671E4E4D-4798-4F66-9C9E-C5762E73179E}" = Microsoft XML Parser
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7FB55E52-C72D-4165-85D0-383ED3D7253F}" = Windows Small Business Server Client Setup
"{8952E993-139E-4E71-881F-DD40E4DB8F81}" = Windows Small Business Server Admin
"{91140409-7000-11D3-8CFE-0150048383C9}" = Microsoft Windows SharePoint Services 2.0
"{9189BADC-23A7-487D-B206-AD3A89A4F45D}" = Windows Small Business Server Fax
"{91B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A2B40ABC-025A-4389-8148-86CED357B259}" = Microsoft Connector for POP3 Mailboxes
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A34AC564-B4A3-4D45-B969-403BC39F0E6A}" = Microsoft .NET Framework 1.1 -- Device Update 4.0
"{A5E98C65-585A-45AB-BFC3-8555305B9929}" = Windows Small Business Server Documents
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B58E39B9-12E2-4E9B-A01B-9B896C6A52A8}" = Windows Small Business Server Connectivity
"{B7300824-E68F-45F1-BAC1-5F15636C346F}" = Microsoft SQL Server Desktop Engine (SBSMonitoring)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C293E1D0-8085-4830-B806-1BA0FEF9C4A4}" = Windows Small Business Server Client Experience
"{C73E81BF-432C-44E2-831D-F46081CA6E28}" = Windows Small Business Server Remote Portal
"{CA3553E0-191B-4E2F-AD3C-82E33CB9D4E4}" = Microsoft Group Policy Management Console with SP1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D846DDEE-EDF2-445F-96A4-175544202D32}" = Windows Small Business Server Fax Cfg
"{E721BEC1-887A-4D26-BE10-7E0336B7CAC7}" = Windows Small Business Server Common
"5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA" = Windows Small Business Server 2003
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.97.1
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"EPSON Advanced Printer Driver 3" = EPSON Advanced Printer Driver 3
"IBackup for Windows_is1" = IBackup for Windows Version - 9.0
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Matrox Graphics Uninstaller" = Matrox Graphics Software (remove only)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Health Monitor 2.1" = Microsoft Health Monitor 2.1
"PowerGREP 4" = JGsoft PowerGREP 4 DEMO 4.1.3
"PrintServer Utilities" = PrintServer Utilities
"WIC" = Windows Imaging Component
"WinPcapInst" = WinPcap 2.3
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/5/2011 9:33:01 AM | Computer Name = NT-SERVER | Source = WINSCTRS | ID = 69850
Description = WINS Performance Monitor Counters could not get the WINS statistics.

Error - 7/5/2011 9:33:49 AM | Computer Name = NT-SERVER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on nt-server\SharePoint.
Check the database connection information and make sure that the database server
is running.

Error - 7/5/2011 12:06:30 PM | Computer Name = NT-SERVER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on nt-server\SharePoint.
Check the database connection information and make sure that the database server
is running.

Error - 7/5/2011 12:06:35 PM | Computer Name = NT-SERVER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on nt-server\SharePoint.
Check the database connection information and make sure that the database server
is running.

Error - 7/5/2011 12:06:41 PM | Computer Name = NT-SERVER | Source = Windows SharePoint Services 2.0 | ID = 1000
Description = #50070: Unable to connect to the database STS_Config on nt-server\SharePoint.
Check the database connection information and make sure that the database server
is running.

[ DNS Server Events ]
Error - 7/5/2011 6:57:33 AM | Computer Name = NT-SERVER | Source = DNS | ID = 6702
Description = DNS server has updated its own host (A) records. In order to ensure
that its DS-integrated peer DNS servers are able to replicate with this server,
an attempt was made to update them with the new records through dynamic update.
An error was encountered during this update, the record data is the error code. If
this DNS server does not have any DS-integrated peers, then this error should be
ignored. If this DNS server's Active Directory replication partners do not have
the correct IP address(es) for this server, they will be unable to replicate with
it. To ensure proper replication: 1) Find this server's Active Directory replication
partners that run the DNS server. 2) Open DnsManager and connect in turn to each
of the replication partners. 3) On each server, check the host (A record) registration
for THIS server. 4) Delete any A records that do NOT correspond to IP addresses
of this server. 5) If there are no A records for this server, add at least one A
record corresponding to an address on this server, that the replication partner can
contact.
(In other words, if there multiple IP addresses for this DNS server, add at least
one that is on the same network as the Active Directory DNS server you are updating.)

6)
Note, that is not necessary to update EVERY replication partner. It is only necessary
that the records are fixed up on enough replication partners so that every server
that replicates with this server will receive (through replication) the new data.

[ File Replication Service Events ]
Error - 6/25/2011 1:41:43 PM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 6/26/2011 10:16:10 AM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 6/27/2011 1:24:07 PM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 6/27/2011 1:53:23 PM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 6/29/2011 10:54:04 AM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 7/3/2011 8:01:18 AM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 7/3/2011 11:26:24 AM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 7/5/2011 6:41:40 AM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 7/5/2011 6:58:07 AM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

Error - 7/5/2011 9:33:34 AM | Computer Name = NT-SERVER | Source = NtFrs | ID = 13568
Description =

[ System Events ]
Error - 6/26/2011 1:27:09 PM | Computer Name = NT-SERVER | Source = TermDD | ID = 655410
Description = The RDP protocol component X.224 detected an error in the protocol
stream and has disconnected the client.

Error - 6/27/2011 1:24:13 PM | Computer Name = NT-SERVER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
agp440 crcdisk IntelIde

Error - 6/27/2011 1:51:45 PM | Computer Name = NT-SERVER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 1:49:13 PM on 6/27/2011 was unexpected.

Error - 6/29/2011 8:57:10 AM | Computer Name = NT-SERVER | Source = TermServDevices | ID = 1111
Description = Driver Kyocera CS-5050 KX required for printer Kyocera CS-5050 KX
is unknown. Contact the administrator to install the driver before you log in again.

Error - 7/3/2011 7:58:59 AM | Computer Name = NT-SERVER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 7:50:34 AM on 7/3/2011 was unexpected.

Error - 7/3/2011 11:24:44 AM | Computer Name = NT-SERVER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 11:07:59 AM on 7/3/2011 was unexpected.

Error - 7/5/2011 6:39:30 AM | Computer Name = NT-SERVER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:24:02 AM on 7/5/2011 was unexpected.

Error - 7/5/2011 6:56:23 AM | Computer Name = NT-SERVER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 6:52:30 AM on 7/5/2011 was unexpected.

Error - 7/5/2011 9:31:28 AM | Computer Name = NT-SERVER | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:15:23 AM on 7/5/2011 was unexpected.

Error - 7/5/2011 12:07:27 PM | Computer Name = NT-SERVER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
agp440 crcdisk IntelIde


< End of report >

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:49 PM

Posted 12 July 2011 - 02:34 AM

Hi again,

Please download and run Kaspersky's AVP tool. Post me the results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 12 July 2011 - 09:35 AM

Hello,

It's still scanning, but there's an alarm up right now about a trojan. Do I tell it to delete, or skip for now?

The trojan is Trojan-Proxy.Win32.Agent.dud

Thanks,
Allison

Edit: Nevermind. I just noticed you're in another country, so I told it to delete what it finds so it wouldn't stay locked up all afternoon. I'll post results when the scan finishes.

Edited by AllisonPJ, 12 July 2011 - 09:51 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:49 PM

Posted 12 July 2011 - 10:29 AM

Since you already removed it, I'll wait for the final results. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 12 July 2011 - 10:33 AM

Sorry about that. :) I wasn't sure what time zone you were in!

The scan finished, but the full report is HUGE. (Over 18MB) I don't think it will let me paste that here, so here are the results of what was deleted/disinfected/quarantined. Let me know if you still want me to find a way to get the full scan report here somehow.

Thanks!

Status: Quarantined (events: 3)
7/12/2011 11:04:23 AM Quarantined virus HEUR:Trojan.Win32.Generic C:\Programs\McAfee\VSC451Lens\VScan451.msi High
7/12/2011 11:04:23 AM Quarantined virus HEUR:Trojan.Win32.Generic C:\Programs\McAfee\VSC451Lens\VScan451.msi//Cabs.w1.cab//BrowseVS.exe High
7/12/2011 11:04:23 AM Quarantined virus HEUR:Trojan.Win32.Generic C:\Programs\McAfee\VSC451Lens\VScan451.msi//Cabs.w1.cab High

Status: Deleted (events: 19)
7/12/2011 10:48:31 AM Deleted Trojan program Trojan-Proxy.Win32.Agent.dud C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2TI527KH\buss[1].exe High
7/12/2011 10:48:32 AM Deleted Trojan program Trojan-Downloader.Win32.Agent.ercr C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\binary[1].exe High
7/12/2011 10:48:32 AM Deleted malware HackTool.Win32.BruteForce.cp C:\Documents and Settings\pos\My Documents\DUBrute\DUBrute.exe Medium
7/12/2011 10:48:38 AM Deleted malware HackTool.Win32.BruteForce.bj C:\Documents and Settings\pos\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\rdp[1].rar//rdp/1.exe Medium
7/12/2011 10:48:37 AM Deleted malware HackTool.Win32.BruteForce.bj C:\Documents and Settings\pos\My Documents\Firstload\rdp\1.exe Medium
7/12/2011 10:48:36 AM Deleted Trojan program Trojan.Win32.Mahato.dk C:\Documents and Settings\pos\My Documents\Firstload\rdp\rdp.exe High
7/12/2011 10:48:38 AM Deleted malware HackTool.Win32.BruteForce.bj C:\Documents and Settings\pos\My Documents\rdp\1.exe Medium
7/12/2011 10:48:39 AM Deleted Trojan program Trojan.Win32.Mahato.dk C:\Documents and Settings\pos\My Documents\rdp\rdp.exe High
7/12/2011 10:48:38 AM Deleted Trojan program Trojan.Win32.Mahato.dk C:\Documents and Settings\pos\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\rdp[1].rar//rdp/rdp.exe High
7/12/2011 10:48:38 AM Deleted malware HackTool.Win32.TSGrinder.a C:\Documents and Settings\pos\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\rdp[1].rar//rdp/tss.exe//PE_Patch//MewBundle//MEW Medium
7/12/2011 10:48:38 AM Deleted malware HackTool.Win32.TSGrinder.a C:\Documents and Settings\pos\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\rdp[1].rar//rdp/tss.exe//PE_Patch//MewBundle Medium
7/12/2011 10:48:38 AM Deleted malware HackTool.Win32.TSGrinder.a C:\Documents and Settings\pos\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\rdp[1].rar//rdp/tss.exe//PE_Patch Medium
7/12/2011 10:48:38 AM Deleted malware HackTool.Win32.TSGrinder.a C:\Documents and Settings\pos\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\rdp[1].rar//rdp/tss.exe Medium
7/12/2011 10:48:38 AM Deleted malware HackTool.Win32.TSGrinder.a C:\Documents and Settings\pos\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\rdp[1].rar Medium
7/12/2011 10:48:41 AM Deleted Trojan program Trojan-Proxy.Win32.Agent.dud C:\Documents and Settings\xerox\Local Settings\Temporary Internet Files\Content.IE5\2TI527KH\buss[1].exe High
7/12/2011 10:48:42 AM Deleted Trojan program Trojan-Downloader.Win32.Agent.ercr C:\Documents and Settings\xerox\Local Settings\Temporary Internet Files\Content.IE5\W5K98DK5\binary[1].exe High
7/12/2011 11:13:26 AM Deleted Trojan program Trojan-Downloader.Win32.Agent.dowk C:\WINDOWS\system32\testbin.exe//svcmsv3.exe High
7/12/2011 11:13:26 AM Deleted Trojan program Trojan-Downloader.Win32.Agent.dowk C:\WINDOWS\system32\testbin.exe High
7/12/2011 11:13:57 AM Deleted Trojan program Trojan-Downloader.Win32.Agent.ercr C:\WINDOWS\system32\dver\svcmsv3.exe High
Status: Disinfected (events: 1)
7/12/2011 11:03:23 AM Disinfected virus Virus.Win32.Virut.ce C:\quarantine\pev.exe.Vir High

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:49 PM

Posted 12 July 2011 - 11:30 AM

I think this might be bad news. Can you look in the log, and look how many virut infected items you see? (no need to count them, just an estimate).

It will look like: 7/12/2011 11:03:23 AM Disinfected virus Virus.Win32.Virut.ce C:\<folder/filename> High

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 12 July 2011 - 11:38 AM

I did a search in the log for "virut" and only came up with three. One said disinfected, one said cleared of virus and the other was detected in a quarantine file.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:49 PM

Posted 12 July 2011 - 11:40 AM

Can you tell me what threat was detected in most of the other files in the log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 12 July 2011 - 11:53 AM

Most files looked clean. Only a few had something detected, and those seem to be either HackTools or Trojan-related. These are just the ones that say "detected" rather than deleted or disinfected:

Trojan-Downloader.Win32.Agent.ercr (3 or 4 times)
HEUR:Trojan.Win32.Generic
Trojan-Proxy.Win32.Agent.dud (2 times)
HackTool.Win32.TSGrinder.a
Trojan.Win32.Mahato.dk (3 times)
HackTool.Win32.BruteForce.bj (2 times)
HackTool.Win32.BruteForce.cp

There also seems to be a directory created in the Documents folder called "DUBrute." I haven't deleted it yet in case you need it for something.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users