Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2k3 server virus and malware removal


  • This topic is locked This topic is locked
7 replies to this topic

#1 whimpy

whimpy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 08 March 2012 - 06:14 PM

I have a 2003 server with a malware/virus infection. My problem is that some of the tools I would normally run to remove the infection will not run on a server OS. I need assistance with finding tools that will run as well as how to use them (if I can't figure them out). Any help with this would be greatly appreciated.

Thank you,
Jason

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:06 PM

Posted 13 March 2012 - 08:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 whimpy

whimpy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 13 March 2012 - 12:05 PM

OTL logfile created on: 3/13/2012 9:44:19 AM - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\jtemp
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.74 Gb Available Physical Memory | 43.56% Memory free
5.83 Gb Paging File | 3.54 Gb Available in Paging File | 60.62% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 279.44 Gb Total Space | 216.31 Gb Free Space | 77.41% Space Free | Partition Type: NTFS

Computer Name: 2KSERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/13 09:43:06 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\jtemp\OTL.exe
PRC - [2011/06/27 06:00:34 | 000,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2011/02/03 15:59:50 | 000,027,648 | ---- | M] (Elsinore Technologies Inc.) -- C:\Program Files\ScreenConnect Guest Client\Elsinore.ScreenConnect.GuestClient.exe
PRC - [2011/02/03 15:59:42 | 000,027,976 | ---- | M] (Elsinore Technologies Inc.) -- C:\Program Files\ScreenConnect Guest Client\Elsinore.ScreenConnect.GuestService.exe
PRC - [2010/11/12 12:39:18 | 001,881,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2010/11/12 12:39:18 | 001,459,528 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2010/11/12 12:39:18 | 000,644,464 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
PRC - [2010/11/12 12:39:18 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2010/11/12 12:39:18 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2010/11/12 12:39:16 | 001,831,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2010/11/05 12:14:58 | 000,033,792 | ---- | M] (Patterson Companies) -- C:\EagleSoft\Shared Files\PattersonAssistantServer.exe
PRC - [2010/11/05 12:14:58 | 000,033,792 | ---- | M] (Patterson Companies) -- C:\EagleSoft\Shared Files\PattersonAppServer.exe
PRC - [2010/11/05 10:41:10 | 000,099,840 | ---- | M] (Patterson Companies) -- C:\EagleSoft\Shared Files\PattersonServerStatus.exe
PRC - [2010/08/11 10:41:44 | 000,204,800 | ---- | M] (Patterson Companies, Inc.) -- C:\EagleSoft\Shared Files\esinetconnect.exe
PRC - [2010/04/21 21:21:46 | 000,234,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2009/12/14 10:22:50 | 000,077,824 | ---- | M] (Patterson Companies) -- C:\EagleSoft\Shared Files\ESMsgServer.exe
PRC - [2009/08/03 12:31:24 | 007,940,792 | ---- | M] () -- C:\Program Files\X-Charge\XChrgSrv.exe
PRC - [2009/07/25 08:22:54 | 001,323,728 | ---- | M] () -- C:\Program Files\X-Charge\XCSecurityService.exe
PRC - [2009/07/25 08:22:44 | 000,449,736 | ---- | M] () -- C:\Program Files\X-Charge\XCService.exe
PRC - [2009/06/11 12:17:26 | 000,139,264 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\jdk\bin\java.exe
PRC - [2009/01/08 23:25:22 | 000,136,496 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\EagleSoft\Shared Files\dbsrv10.exe
PRC - [2008/05/14 13:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/12 14:05:10 | 000,117,248 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\tmp4071.tmp
MOD - [2012/02/27 10:51:32 | 001,356,288 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\c4c671c737b553db8e07664816475333\System.WorkflowServices.ni.dll
MOD - [2012/02/27 10:51:14 | 001,706,496 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\285dfbf2380436e187cb624bd1cd4683\System.ServiceModel.Web.ni.dll
MOD - [2012/02/27 10:50:15 | 000,182,272 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\a7a9d22823e9f5eb4fc9da77e6315927\Patterson.Services.LabRxService.ni.dll
MOD - [2012/02/27 10:50:14 | 000,575,488 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\1558c6b8d04aab5eeb98cfd6f5a59d64\Patterson.Services.AccountService.ni.dll
MOD - [2012/02/27 10:50:14 | 000,087,552 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\7de8480683d1d240bb36e490c29bc434\Patterson.Services.ImagingService.ni.dll
MOD - [2012/02/27 10:50:13 | 000,699,392 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\3f6a4ebf8f43e16bb5f7f2be5358b6fb\Patterson.Services.InsuranceService.ni.dll
MOD - [2012/02/27 10:50:12 | 000,189,952 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\e56cd840af5a024232bbaf919409054c\Patterson.Services.DocumentService.ni.dll
MOD - [2012/02/27 10:50:12 | 000,187,904 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\8b8af784a96205d1294afa1faae3065d\Patterson.Services.SharedDataAccess.ni.dll
MOD - [2012/02/27 10:50:11 | 000,590,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\c0b1bdf0ff9effa1409df7004e44c800\Patterson.Services.GeneralService.ni.dll
MOD - [2012/02/27 10:50:11 | 000,193,024 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\aa7c0a82ce6866e1dd3b6e99a3154769\Patterson.Services.TreatmentService.ni.dll
MOD - [2012/02/27 10:50:10 | 000,229,376 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\94c553092ed53573e8b2eef85b62ccc3\Patterson.Services.UtilitiesService.ni.dll
MOD - [2012/02/27 10:50:09 | 000,272,896 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\f77815eaa190e0da94a9fb4b1bff5557\Patterson.Services.PatientService.ni.dll
MOD - [2012/02/27 10:50:09 | 000,225,792 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\2f4366447464e77b188f30623f9cf4ed\Patterson.Services.ProviderService.ni.dll
MOD - [2012/02/27 10:50:08 | 000,737,792 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\927036c1eb511e9164cb063c529704bc\Patterson.Services.ScheduleService.ni.dll
MOD - [2012/02/27 10:50:08 | 000,180,224 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\560913fbf119d4868dff655172e66eda\Patterson.Services.ApplicationUpgradeService.ni.dll
MOD - [2012/02/27 10:50:07 | 000,081,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PattersonAppServer\59c0abb34a4b4d0f4bacb0e4f2a4c36b\PattersonAppServer.ni.exe
MOD - [2012/02/27 10:49:42 | 002,854,912 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\DevExpress.XtraSche#\1b35959f82e1aabd375f20d836ac703a\DevExpress.XtraScheduler.v9.3.Core.ni.dll
MOD - [2012/02/27 10:49:32 | 004,914,176 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\DevExpress.XtraGrid#\10a8e8462f1c730dbc5a8a7e686765a1\DevExpress.XtraGrid.v9.3.ni.dll
MOD - [2012/02/27 10:49:29 | 005,575,680 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\DevExpress.Utils.v9#\2f971a41890af8a6c0169e183af201b2\DevExpress.Utils.v9.3.ni.dll
MOD - [2012/02/27 10:49:26 | 005,164,032 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\DevExpress.XtraEdit#\099784f2f9b11837a19610b7f8d53d77\DevExpress.XtraEditors.v9.3.ni.dll
MOD - [2012/02/27 10:49:23 | 000,400,896 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c2a12bd4056b44f8005a7eb3af161e6a\System.Xml.Linq.ni.dll
MOD - [2012/02/27 10:49:21 | 007,395,328 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\DevExpress.Data.v9.3\edfc47d3d53eebe18c334c2513ec6b96\DevExpress.Data.v9.3.ni.dll
MOD - [2012/02/27 10:49:17 | 002,370,048 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\6eb68e3ac7e5b06bac258e52ffeb0279\Patterson.Services.ServiceContracts.ni.dll
MOD - [2012/02/27 10:49:12 | 002,345,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\f2532204217dc10f152afd077b09927c\System.Runtime.Serialization.ni.dll
MOD - [2012/02/27 10:49:10 | 000,256,000 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\bd3bfd5b6ef659dac4d6cccb34577d33\SMDiagnostics.ni.dll
MOD - [2012/02/27 10:49:09 | 017,403,904 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\1cdcd6d97627d345d5ff446e6ec88b97\System.ServiceModel.ni.dll
MOD - [2012/02/27 10:48:57 | 002,435,072 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\iAnywhere.Data.SQLA#\5799d6710093977f12ec6b88f75fe3df\iAnywhere.Data.SQLAnywhere.ni.dll
MOD - [2012/02/27 10:48:56 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\11dcb806c92f55111f5fa9f1a90e3bdd\System.ServiceProcess.ni.dll
MOD - [2012/02/27 10:48:54 | 001,801,216 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\707a05a7d5a8d99dd56d1d50311a60d2\System.Deployment.ni.dll
MOD - [2012/02/27 10:48:45 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\29bdc8352d3c26e3c572ea60639dec3b\System.Web.ni.dll
MOD - [2012/02/27 10:48:33 | 000,627,712 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\c0d15fb6308587fef8744d568e64bcda\System.EnterpriseServices.ni.dll
MOD - [2012/02/27 10:48:32 | 000,627,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\f25d114cb629d1f512f98883c6535a75\System.Transactions.ni.dll
MOD - [2012/02/27 10:48:31 | 000,150,528 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\8ee7a80d0d210bfdc87195936e1c649c\Patterson.Services.ServiceUtils.ni.dll
MOD - [2012/02/27 10:48:26 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll
MOD - [2012/02/27 10:48:24 | 000,108,544 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Patterson.Services.#\c69b8a07c7084651bbd1f25a36a85b64\Patterson.Services.SharedResources.ni.dll
MOD - [2012/02/27 10:46:33 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll
MOD - [2012/02/27 10:46:27 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll
MOD - [2012/02/27 10:46:05 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll
MOD - [2012/02/27 10:45:33 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\ae888f8633fce3ff1de98e32bce0abbf\System.Data.ni.dll
MOD - [2012/02/27 10:45:28 | 002,295,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\0a6d6717e76be12295711ff02c7aa1d4\System.Core.ni.dll
MOD - [2012/02/21 17:41:33 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll
MOD - [2012/02/21 17:39:53 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/02/21 17:39:42 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2011/10/20 15:29:58 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2010/04/21 21:22:06 | 000,316,784 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secreg.dll
MOD - [2010/04/21 21:22:02 | 000,750,960 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2009/08/03 12:31:24 | 007,940,792 | ---- | M] () -- C:\Program Files\X-Charge\XChrgSrv.exe
MOD - [2009/07/31 07:48:36 | 000,620,032 | ---- | M] () -- C:\Program Files\X-Charge\XCAutoUpgradeCheck.dll
MOD - [2009/07/25 08:22:54 | 001,323,728 | ---- | M] () -- C:\Program Files\X-Charge\XCSecurityService.exe
MOD - [2009/07/25 08:22:44 | 000,449,736 | ---- | M] () -- C:\Program Files\X-Charge\XCService.exe
MOD - [2009/07/15 07:59:30 | 000,977,408 | ---- | M] () -- C:\Program Files\X-Charge\XCGPNIP.dll
MOD - [2009/07/15 07:37:48 | 001,537,024 | ---- | M] () -- C:\Program Files\X-Charge\XCGPN.dll
MOD - [2008/11/12 13:37:00 | 001,202,176 | ---- | M] () -- C:\Program Files\X-Charge\XCDM.dll
MOD - [2008/05/14 12:21:52 | 000,441,705 | ---- | M] () -- C:\WINDOWS\system32\sqlite3.dll
MOD - [2006/06/06 13:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2002/08/13 07:10:10 | 000,155,648 | ---- | M] () -- C:\WINDOWS\system32\ssleay32.dll
MOD - [2002/08/13 07:09:50 | 000,684,032 | ---- | M] () -- C:\WINDOWS\system32\libeay32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WinHttpAutoProxySvc)
SRV - File not found [Auto | Stopped] -- -- (Iprip)
SRV - File not found [Auto | Running] -- -- (Elsinore ScreenConnect Guest Service (support.computekdental.com)) Elsinore ScreenConnect Guest Service (support.computekdental.com)
SRV - [2011/06/27 06:00:34 | 000,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2010/11/12 12:39:18 | 001,881,368 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2010/11/12 12:39:18 | 000,349,512 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2010/11/12 12:39:18 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/11/12 12:39:18 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/11/12 12:39:16 | 001,831,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/11/05 12:14:58 | 000,033,792 | ---- | M] (Patterson Companies) [Auto | Running] -- C:\EagleSoft\Shared Files\PattersonAppServer.exe -- (PattersonAppService)
SRV - [2010/11/05 12:14:58 | 000,033,792 | ---- | M] (Patterson Companies) [On_Demand | Running] -- C:\EagleSoft\Shared Files\PattersonAssistantServer.exe -- (Patterson Assistant Service)
SRV - [2010/08/13 11:22:06 | 000,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\EagleSoft\Shared Files\ESCameraService.exe -- (ESCameraService)
SRV - [2010/04/21 21:21:46 | 000,234,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2010/02/17 11:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/12/14 10:22:50 | 000,077,824 | ---- | M] (Patterson Companies) [On_Demand | Running] -- C:\EagleSoft\Shared Files\ESMsgServer.exe -- (EagleSoft Messenger Server)
SRV - [2009/07/25 08:22:54 | 001,323,728 | ---- | M] () [Auto | Running] -- C:\Program Files\X-Charge\XCSecurityService.exe -- (XCSecurity)
SRV - [2009/07/25 08:22:44 | 000,449,736 | ---- | M] () [Auto | Running] -- C:\Program Files\X-Charge\XCService.exe -- (XCService)
SRV - [2009/01/08 23:25:22 | 000,136,496 | ---- | M] (iAnywhere Solutions, Inc.) [On_Demand | Running] -- C:\EagleSoft\Shared Files\dbsrv10.exe -- (SQLANYs_PattersonDBServer)
SRV - [2008/05/14 13:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sens32.dll -- (SENS)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (IpInIp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/03/08 14:59:03 | 000,083,064 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\SMR250.SYS -- (SMR250)
DRV - [2012/02/14 15:40:19 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/02/13 12:48:14 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120312.035\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/02/13 12:48:14 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120312.035\NAVENG.SYS -- (NAVENG)
DRV - [2012/02/03 02:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/08/11 12:04:50 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/11/12 12:39:18 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/11/12 12:39:18 | 000,283,184 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/11/12 12:39:18 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2010/11/12 12:39:14 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/04/13 13:13:00 | 000,201,600 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\G200em.sys -- (G200e)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ClusDisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3233667931-866289775-1348548251-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-3233667931-866289775-1348548251-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.computekdental.com/
IE - HKU\S-1-5-21-3233667931-866289775-1348548251-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3233667931-866289775-1348548251-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-3233667931-866289775-1348548251-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\14.0.835.186\gcswf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\14.0.835.186\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\14.0.835.186\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2007/02/18 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [ESInetConnect] C:\EagleSoft\Shared Files\esinetconnect.exe (Patterson Companies, Inc.)
O4 - HKLM..\Run: [Patterson Server Status] C:\EagleSoft\Shared Files\EsStartup.exe (Patterson Companies)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Symantec Endpoint Protection.lnk = C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe (Symantec Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3233667931-866289775-1348548251-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246471510390 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246471502828 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dental.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5857FCC9-87DE-4098-9711-BD2755DCB585}: NameServer = 127.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (C:\WINDOWS\system32\FastCheckInCAD.dll) - C:\WINDOWS\system32\FastCheckInCAD.dll (Patterson Dental Supply, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/01 10:26:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: LightScribe Control Panel - hkey= - key= - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Ias - Service
SafeBootMin: Iprip - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootMin: Symantec Antvirus - Service
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: wd.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - Microsoft NetShow Player
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4CF07653-FE0F-11D4-A548-0090278A1BB8} - .NET Framework
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
ActiveX: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} - Help and Support Center
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\INF\unregmp2.exe /HideWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

NetSvcs: Ias - C:\WINDOWS\System32\ias.dll (Microsoft Corporation)
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: SENS - C:\WINDOWS\system32\sens32.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/03/13 09:42:35 | 000,000,000 | ---D | C] -- C:\jtemp
[2012/03/08 19:56:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/03/08 16:34:44 | 000,000,000 | ---D | C] -- C:\Program Files\ScreenConnect Guest Client
[2012/03/08 16:15:49 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2012/03/08 15:48:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tdsskiller
[2012/03/08 15:13:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SPE
[2012/03/08 15:12:23 | 005,676,416 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\Sep_SupportTool.exe
[2012/03/08 14:59:03 | 000,083,064 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR250.SYS
[2012/03/08 14:58:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE
[2012/03/08 14:58:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2012/02/14 21:08:49 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2012/02/14 21:08:49 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2012/02/14 21:08:48 | 000,916,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2012/02/14 21:08:48 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2012/02/14 21:08:48 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2012/02/14 21:08:44 | 001,212,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/13 09:10:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3233667931-866289775-1348548251-1185UA.job
[2012/03/13 09:04:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3233667931-866289775-1348548251-500UA.job
[2012/03/13 07:53:07 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/13 07:53:05 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/03/12 15:04:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3233667931-866289775-1348548251-500Core.job
[2012/03/12 14:10:04 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3233667931-866289775-1348548251-1185Core.job
[2012/03/12 12:00:42 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\Demandforce DFLink Upload.job
[2012/03/12 11:30:10 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\Demandforce DFLink Update.job
[2012/03/08 16:18:00 | 000,000,290 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012/03/08 15:49:50 | 002,044,980 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2012/03/08 15:26:32 | 000,000,208 | -HS- | M] () -- C:\boot.ini
[2012/03/08 15:24:06 | 000,568,550 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/08 15:24:06 | 000,104,494 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/08 15:17:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/08 15:12:31 | 005,676,416 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\Sep_SupportTool.exe
[2012/03/08 14:59:03 | 000,083,064 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR250.SYS
[2012/03/07 18:02:40 | 001,179,648 | ---- | M] () -- C:\WINDOWS\System32\EagleSoftEventLog.evt
[2012/02/28 16:32:32 | 000,001,718 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2012/02/27 10:41:55 | 000,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/21 17:35:18 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/08 15:45:09 | 002,044,980 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2012/03/06 15:05:14 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3233667931-866289775-1348548251-1185UA.job
[2012/03/06 15:05:13 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3233667931-866289775-1348548251-1185Core.job
[2011/02/18 09:20:04 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.EXE
[2010/11/23 11:34:05 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2010/11/12 15:01:29 | 000,000,024 | ---- | C] () -- C:\WINDOWS\DENTRIX.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) MD5=A26C39540F8BE3729846E360E2C57344 -- C:\WINDOWS\explorer.exe
[2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) MD5=A26C39540F8BE3729846E360E2C57344 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: WINLOGON.EXE >
[2007/02/18 05:00:00 | 000,528,384 | ---- | M] (Microsoft Corporation) MD5=B4AA8AE0F18E5DFCF99A671A181D3EDC -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2007/02/18 05:00:00 | 000,528,384 | ---- | M] (Microsoft Corporation) MD5=B4AA8AE0F18E5DFCF99A671A181D3EDC -- C:\WINDOWS\system32\winlogon.exe

< >

< End of report >


Here is the other one

OTL Extras logfile created on: 3/13/2012 9:44:19 AM - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\jtemp
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.74 Gb Available Physical Memory | 43.56% Memory free
5.83 Gb Paging File | 3.54 Gb Available in Paging File | 60.62% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 279.44 Gb Total Space | 216.31 Gb Free Space | 77.41% Space Free | Partition Type: NTFS

Computer Name: 2KSERVER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{15F52897-79DE-492D-AC2C-A564E9B4078B}" = Elsinore ScreenConnect Guest Service (support.computekdental.com)
"{1CE1E282-54E5-48C8-A894-A2BEB6AD1FF4}" = Patterson EagleSoft
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java™ 6 Update 27
"{3C1AE512-3C37-44FA-BA42-ABB721EC5B1D}" = Symantec Endpoint Protection
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6D85245E-D324-4EE4-87FD-9FBF4EC3F6B1}" = Symantec Endpoint Protection Manager
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E72B982-D54F-486F-B35A-C24B6F171033}" = Nero 7 Essentials
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{BA6BE264-85D6-49AB-8C05-0B532131BD43}" = OPOS for the Ingenico iSeries
"{BBBF4CFE-9D26-4D93-A869-B2B021B3CA85}" = Intel® PRO Network Connections 12.2.41.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8A9DECC-A6FC-499A-A476-E75023F6D5CE}" = Patterson EagleSoft
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FDF54538-EE59-449E-829D-A54B42316074}" = D3One
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ie8" = Windows Internet Explorer 8
"InstallShield_{FDF54538-EE59-449E-829D-A54B42316074}" = D3One
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Matrox Graphics Uninstaller" = Matrox Graphics Software (remove only)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"PINPadDevice Files" = PINPadDevice Files
"Tweak UI 2.10" = Tweak UI
"WIC" = Windows Imaging Component
"X-Charge" = X-Charge

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3233667931-866289775-1348548251-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/7/2012 4:39:42 PM | Computer Name = 2KSERVER | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 3/7/2012 5:24:38 PM | Computer Name = 2KSERVER | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 3/9/2012 12:18:19 PM | Computer Name = 2KSERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!AngryIPScanner in File: C:\Documents and Settings\Administrator\Local
Settings\Temporary Internet Files\Content.IE5\ZRR339AG\ipscan221[1].exe by: Auto-Protect
scan. Action: Reboot Required. Action Description: The file was quarantined successfully.



[ DNS Server Events ]
Error - 11/9/2011 9:17:35 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 11/9/2011 9:17:35 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 192.168.0. This DNS server is configured to use information obtained from
Active Directory for this zone and is unable to load the zone without it. Check
that
the Active Directory is functioning properly and repeat enumeration of the zone.
The
extended error debug information (which may be empty) is "". The event data contains
the error.

Error - 11/9/2011 9:17:35 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone dental.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 12/28/2011 2:58:50 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 12/28/2011 3:47:22 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 12/28/2011 3:47:22 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 12/28/2011 3:47:22 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.dental.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 12/28/2011 3:47:22 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 0.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 12/28/2011 3:47:22 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 192.168.0. This DNS server is configured to use information obtained from
Active Directory for this zone and is unable to load the zone without it. Check
that
the Active Directory is functioning properly and repeat enumeration of the zone.
The
extended error debug information (which may be empty) is "". The event data contains
the error.

Error - 12/28/2011 3:47:22 PM | Computer Name = 2KSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone dental.local. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

[ EagleSoft Events ]
Error - 2/1/2012 1:35:22 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 2/11/2012 2:38:07 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 2/11/2012 2:38:11 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 2/11/2012 2:38:19 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 2/11/2012 2:38:26 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 2/11/2012 2:38:28 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 3/1/2012 5:24:58 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 3/5/2012 8:20:11 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 3/6/2012 1:47:52 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

Error - 3/7/2012 8:06:40 PM | Computer Name = 2KSERVER | Source = EagleSoft | ID = 0
Description =

[ File Replication Service Events ]
Error - 11/24/2010 10:45:14 AM | Computer Name = 2KSERVER | Source = NtFrs | ID = 13571
Description = The File Replication Service has detected that one or more volumes
on this computer have the same Volume Serial Number. File Replication Service does
not support this configuration. Files may not replicate until this conflict is
resolved. Volume Serial Number : 502d-d118 List of volumes that have this Volume
Serial Number: c:, c: The output of "dir" command displays the Volume Serial Number
before
listing the contents of the folder.

[ System Events ]
Error - 3/11/2012 12:34:40 PM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/11/2012 4:49:40 PM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/11/2012 8:49:40 PM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/12/2012 12:49:40 AM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/12/2012 4:49:40 AM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/12/2012 9:04:40 AM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/12/2012 1:10:06 PM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/12/2012 5:19:40 PM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/12/2012 9:34:40 PM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5

Error - 3/13/2012 10:54:41 AM | Computer Name = 2KSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ADMIN1 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ADMIN1$. The following
error occurred: %%5


< End of report >





#4 whimpy

whimpy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 13 March 2012 - 01:18 PM

sorry I didn't leave a discription of the problem. We keep having Symantec report that there is a Trojan.Gen2 virus but it is unable to quarantine or delete

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:06 PM

Posted 14 March 2012 - 03:52 AM

I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\system32\dns.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 whimpy

whimpy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 22 March 2012 - 02:55 PM

Well I thank you for your help. However I was able to fix the infection myself. You were right this computer is used as a server at a dentist office. It contained all the patient records for the office, as it is a paperless office. I was aware of this but, I didn't think to mention it as this is what I work with all day. The funny thing is as far as having the Admin work on this, I am he. Just everyone needs ideas once in a while.

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:06 PM

Posted 23 March 2012 - 05:16 AM

Hi,

I wasn't going to blow you off because this is a work PC, I just wanted you to be aware of the possible issues that come with handling an office PC instead of a private one. EG if down time is an issue, that changes the game considerably. Not having a backup of data on the PC may also have much bigger consequences than on a private PC, etc...

Could you let us know how you fixed it in the end?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:06 PM

Posted 29 March 2012 - 08:13 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users