Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/rootkit removal assistance on Server 2003


  • This topic is locked This topic is locked
14 replies to this topic

#1 smilne

smilne

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 May 2012 - 03:06 AM

Hello,

I have an issue with a Windows 2003 Server that has contracted malware and/or a rootkit. When the malware first infected the system, it corrupted the MBR data and I had to run FIXMBR from the Windows recovery console to get the system to boot properly. I have run scans with both Malwarebytes Anti-Malware and Spybot (see below for the logs of those scans).

After cleaning the system with those programs, the server is still infected. Two randmonly named EXE files get created in C:\Windows\Temp and I found suspicious files in C:\Windows\System32. I checked those suspicious files against another server in the same domain with similar hardware and software configurations and the clean system did not have those files, so I backed up the files and deleted them. I have continued to scan with MBAM but the infection is never fully cleaned.

Can someone please assist with cleaning this server?

Thanks.

MBAM Log #1:
------------------------------------------------------------------------------------

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.29.07

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 6.0.3790.3959
administrator :: ST-SERVER [administrator]

Protection: Enabled

5/29/2012 9:14:08 PM
mbam-log-2012-05-29 (21-14-08).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 168364
Time elapsed: 1 hour(s), 30 minute(s), 45 second(s)

Memory Processes Detected: 2
C:\Documents and Settings\Administrator.STONE-TAPERT\WINDOWS\XXXXXX87FC2E28\svchsot.exe (Trojan.Svchsot) -> 4224 -> Delete on reboot.
C:\WINDOWS\Temp\4caa75a9.exe (Backdoor.Yoddos.gen) -> 3796 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|XXXXXX87FC2E28 (Trojan.Svchsot) -> Data: C:\Documents and Settings\Administrator.STONE-TAPERT\WINDOWS\XXXXXX87FC2E28\svchsot.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 61
C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Temp\1\hod1.tmp (Worm.Parite) -> Delete on reboot.
C:\Documents and Settings\Administrator.STONE-TAPERT\WINDOWS\XXXXXX87FC2E28\svchsot.exe (Trojan.Svchsot) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1YBOH27\1[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\O52VKH6R\1[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\bootwin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\RECYCLER\hexwin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\RECYCLER\swin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\009b26a4.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\06fa40f3.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\091a5f3b.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\095d7ba0.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\117b6a84.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1666351f.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\17b55408.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\199a570c.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1bdf340e.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1c2c6493.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1c81717a.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\22562c88.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\23320b01.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\23f15ee7.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2abe1949.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2b844129.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2bd5013a.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2ebd1ba8.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2f0402af.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\30253dc8.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\30633866.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\378a76a5.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\37d7500f.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3bc41ae9.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3d3526da.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3d8a0c51.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\407e7c17.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\40cd75bf.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\42733bf3.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\45280188.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\47100910.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\49424476.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4caa75a9.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\50490ea3.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\525763ab.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\5b2d7717.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\5ea43175.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\5ec47d4e.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\5f417c51.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\642563c8.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\683a515e.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\75cc3fd4.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\77785cc3.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7dbe11f8.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\eouB82F.tmp (Worm.Parite) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iluB837.tmp (Worm.Parite) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jhuB82C.tmp (Worm.Parite) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pmuB838.tmp (Worm.Parite) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bootwin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hexwin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\s1.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\bootwin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\hexwin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\swin.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

(end)
------------------------------------------------------------------------------------

MBAM Log #2:
------------------------------------------------------------------------------------

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.29.07

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 6.0.3790.3959
administrator :: ST-SERVER [administrator]

Protection: Enabled

5/29/2012 10:55:37 PM
mbam-log-2012-05-29 (22-55-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 386571
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Detected: 1
C:\WINDOWS\Temp\69e12dfd.exe (Backdoor.Yoddos.gen) -> 4524 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\SERVICES\Microsoft Devicger (Trojan.Service) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\netsvcs_0x0 (Spyware.OnLineGames) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\WINDOWS\Temp\69e12dfd.exe (Backdoor.Yoddos.gen) -> Quarantined and deleted successfully.
C:\RECYCLER\xpwin.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Microsoft Devicger.dll (Trojan.Service) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netsvcs_0x0.dll (Spyware.OnLineGames) -> Quarantined and deleted successfully.

(end)
------------------------------------------------------------------------------------

Spybot Log:
------------------------------------------------------------------------------------
--- Report generated: 2012-05-30 00:21 ---

Pinfi.Parite: [SBI $E5CBCC95] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-507921405-1364589140-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

DoubleClick: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)


FastClick: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)


Right Media: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2012-05-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2012-01-16 Includes\Adware.sbi (*)
2012-05-08 Includes\AdwareC.sbi (*)
2010-08-12 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2012-01-31 Includes\HeavyDuty.sbi (*)
2012-05-16 Includes\Hijackers.sbi (*)
2012-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2012-03-13 Includes\Keyloggers.sbi (*)
2012-03-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2012-04-17 Includes\Malware.sbi (*)
2012-05-16 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2012-05-08 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-01-17 Includes\Spyware.sbi (*)
2012-05-08 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-27 Includes\Trojans.sbi (*)
2012-05-16 Includes\TrojansC-02.sbi (*)
2012-05-18 Includes\TrojansC-03.sbi (*)
2012-05-21 Includes\TrojansC-04.sbi (*)
2012-05-23 Includes\TrojansC-05.sbi (*)
2012-05-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
------------------------------------------------------------------------------------

BC AdBot (Login to Remove)

 


#2 smilne

smilne
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 May 2012 - 03:10 AM

Also, I just noticed that Internet Explorer cannot open any pages. When you attempt to go to a website, a second window opens and then IE freezes and must be killed with Task Manager. In addition, the Automatic Updates tab is missing from the System Properties window.

#3 smilne

smilne
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 May 2012 - 05:51 PM

I could not get DDS to run because it is a server operating system, are there any alternatives?

Attached is my GMER log.

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 05 June 2012 - 01:33 AM

Hello and :welcome: to BleepingComputer. My name is Elise and I'll assist you with this issue.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 smilne

smilne
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 05 June 2012 - 11:03 AM

I was actually able to get the server cleaned and running normal again, however I still ran the scan you suggested incase there is anything lingering. Here are the logs.

OTL:
OTL logfile created on: 6/5/2012 8:08:47 AM - Run 1
OTL by OldTimer - Version 3.2.46.1 Folder = C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.54 Gb Available Physical Memory | 26.83% Memory free
5.35 Gb Paging File | 2.99 Gb Available in Paging File | 55.86% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 89.23 Gb Free Space | 65.90% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 184.97 Gb Free Space | 33.97% Space Free | Partition Type: NTFS
Drive G: | 544.49 Gb Total Space | 184.97 Gb Free Space | 33.97% Space Free | Partition Type: NTFS
Drive H: | 544.49 Gb Total Space | 184.97 Gb Free Space | 33.97% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/05 08:08:32 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\OTL.exe
PRC - [2012/05/30 23:16:30 | 000,609,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_user_customer.exe
PRC - [2012/05/30 23:16:30 | 000,609,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_system_customer.exe
PRC - [2012/05/30 23:16:30 | 000,609,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_service.exe
PRC - [2012/05/30 23:16:30 | 000,609,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_comm_customer.exe
PRC - [2012/05/29 23:12:04 | 000,668,536 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_processfactory.exe
PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/04/04 15:56:38 | 000,981,680 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2011/08/19 11:36:52 | 000,078,184 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\736\g2aprocessfactory.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/12/07 10:14:23 | 000,237,568 | ---- | M] () -- C:\WINDOWS\system32\tardisnt.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:56 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/04 01:56:05 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/06/04 01:56:04 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/06/04 01:56:02 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/06/04 01:56:01 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/06/04 01:56:00 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/06/04 01:55:59 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/06/04 01:55:58 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/06/04 01:55:57 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/06/04 01:55:56 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/06/04 01:55:56 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/06/04 01:55:55 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2692\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/05/31 23:16:39 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\7861cd979ea5db3fb7d30ed94fb0edd2\System.Web.ni.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:16 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8dc4a28c456f81ee7399da21bd9d55aa\System.ServiceProcess.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2012/05/31 23:02:33 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/05/31 23:02:31 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/05/31 23:02:30 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/05/31 23:02:25 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/05/31 23:02:21 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/05/31 23:02:20 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/05/31 23:02:18 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/05/31 23:01:54 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2009/02/01 22:01:14 | 000,316,848 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secreg.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2008/05/01 21:15:37 | 000,010,240 | ---- | M] () -- D:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2007/12/07 10:14:23 | 000,237,568 | ---- | M] () -- C:\WINDOWS\system32\tardisnt.exe
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- "C:\WINDOWS\system32\wscsvc.dll" -- (wscsvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS) Windows Internet Name Service (WINS)
SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\TEMP\Clt-Inst\vpremote.exe -- (VPREMOTE)
SRV - [2012/05/30 23:16:30 | 000,609,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Running] -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_service.exe -- (GoToAssist Express Customer)
SRV - [2012/05/30 00:48:05 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2011/08/19 11:36:52 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\736\g2aservice.exe -- (GoToAssist)
SRV - [2010/12/10 19:29:30 | 000,044,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/07/28 09:15:56 | 000,135,680 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/12/07 10:14:23 | 000,237,568 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\tardisnt.exe -- (Tardis)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/10/30 13:42:12 | 000,225,792 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,348,160 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA)
SRV - [2007/02/18 05:00:00 | 000,343,552 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,157,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2007/02/18 05:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm)
SRV - [2007/02/18 05:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE)
SRV - [2007/02/18 05:00:00 | 000,096,256 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,075,776 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr)
SRV - [2007/02/18 05:00:00 | 000,074,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger)
SRV - [2007/02/18 05:00:00 | 000,032,256 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2007/02/18 05:00:00 | 000,018,944 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | Disabled | Stop_Pending] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\55A71E73.sys -- (55A71E73)
DRV - [2012/06/05 06:56:32 | 000,054,016 | ---- | M] () [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\bjsdop.sys -- (saeifa)
DRV - [2012/05/30 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/05/30 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2012/05/15 01:00:00 | 001,589,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120604.033\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/05/15 01:00:00 | 000,087,928 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120604.033\NAVENG.SYS -- (NAVENG)
DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/12/12 19:23:14 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2007/02/18 05:00:00 | 000,708,608 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2007/02/18 05:00:00 | 000,268,288 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,134,144 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,121,856 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\pcmcia.sys -- (Pcmcia)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,067,584 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\udfs.sys -- (Udfs)
DRV - [2007/02/18 05:00:00 | 000,057,088 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\aic78xx.sys -- (aic78xx)
DRV - [2007/02/18 05:00:00 | 000,055,296 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\aic78u2.sys -- (aic78u2)
DRV - [2007/02/18 05:00:00 | 000,054,272 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k)
DRV - [2007/02/18 05:00:00 | 000,050,688 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,048,640 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160)
DRV - [2007/02/18 05:00:00 | 000,043,520 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\arc.sys -- (arc)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,041,472 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080)
DRV - [2007/02/18 05:00:00 | 000,041,472 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql1240.sys -- (ql1240)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,036,352 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,034,304 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql10wnt.sys -- (Ql10wnt)
DRV - [2007/02/18 05:00:00 | 000,031,744 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2007/02/18 05:00:00 | 000,029,184 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra)
DRV - [2007/02/18 05:00:00 | 000,028,288 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\perc2.sys -- (perc2)
DRV - [2007/02/18 05:00:00 | 000,028,160 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,026,880 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpn.sys -- (hpn)
DRV - [2007/02/18 05:00:00 | 000,026,624 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,023,552 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpcisss.sys -- (hpcisss)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\i2omp.sys -- (i2omp)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dac960nt.sys -- (dac960nt)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\cbidf2k.sys -- (cbidf2k)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cbidf2k.sys -- (cbidf)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/18 05:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\acpiec.sys -- (ACPIEC)
DRV - [2007/02/18 05:00:00 | 000,009,216 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cd20xrnt.sys -- (cd20xrnt)
DRV - [2007/02/18 05:00:00 | 000,009,216 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde)
DRV - [2007/02/18 05:00:00 | 000,008,704 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\parvdm.sys -- (Parvdm)
DRV - [2007/02/18 05:00:00 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\intelide.sys -- (IntelIde)
DRV - [2007/02/18 05:00:00 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\amdide.sys -- (AmdIde)
DRV - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\viaide.sys -- (ViaIde)
DRV - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\toside.sys -- (TosIde)
DRV - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde)
DRV - [2007/02/18 05:00:00 | 000,006,272 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\perc2hib.sys -- (perc2hib)
DRV - [2007/02/16 22:58:58 | 000,096,256 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\nv_agp.sys -- (nv_agp)
DRV - [2007/02/16 22:58:57 | 000,047,616 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\uliagpkx.sys -- (uliagpkx)
DRV - [2007/02/16 22:58:54 | 000,044,032 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp)
DRV - [2007/02/16 22:58:54 | 000,043,520 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\viaagp.sys -- (viaagp)
DRV - [2007/02/16 22:58:53 | 000,046,080 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\agpcpq.sys -- (agpCPQ)
DRV - [2007/02/16 22:58:53 | 000,044,544 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\alim1541.sys -- (alim1541)
DRV - [2007/02/16 22:58:53 | 000,044,032 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\agp440.sys -- (agp440)
DRV - [2007/02/16 22:58:53 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = C:\dell\homepage\dellhome.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = C:\dell\homepage\dellhome.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-1364589140-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..\SearchScopes,DefaultScope = {87D89A37-942A-46EF-B47A-BC19FA133CAD}
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..\SearchScopes\{87D89A37-942A-46EF-B47A-BC19FA133CAD}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll File not found



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java™ Platform SE 7 U3 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2005/03/25 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\.DEFAULT..\Run: [] File not found
O4 - HKU\.DEFAULT..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe File not found
O4 - HKU\S-1-5-18..\Run: [] File not found
O4 - HKU\S-1-5-18..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe File not found
O4 - HKU\S-1-5-21-507921405-1364589140-1801674531-500..\Run: [] File not found
O4 - HKU\.DEFAULT..\RunOnce: [] File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe -update activex File not found
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [] File not found
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe -update activex File not found
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-507921405-1364589140-1801674531-1003..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bginfo.lnk = C:\bginfo\Bginfo.exe (Sysinternals)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1364589140-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..Trusted Domains: livemeeting.com ([]* in Trusted sites)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\736\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\736\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\GoToAssist Express Customer: DllName - (C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_winlogon.dll) - C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1994/02/25 13:30:36 | 000,000,000 | R--- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{20e55976-91e6-11db-9db9-00188b42e686}\Shell - "" = AutoRun
O33 - MountPoints2\{20e55976-91e6-11db-9db9-00188b42e686}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{20e55976-91e6-11db-9db9-00188b42e686}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{87fccf3f-39f7-11dc-a0f6-00188b42e686}\Shell - "" = AutoRun
O33 - MountPoints2\{87fccf3f-39f7-11dc-a0f6-00188b42e686}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{87fccf3f-39f7-11dc-a0f6-00188b42e686}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/05 08:08:03 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\OTL.exe
[2012/06/04 08:40:46 | 000,000,000 | ---D | C] -- C:\Program Files\Advisors Assistant
[2012/06/04 08:40:45 | 000,468,928 | ---- | C] (Bits Per Second Ltd) -- C:\WINDOWS\System32\Gsw32.exe
[2012/06/04 08:40:45 | 000,325,120 | ---- | C] (SnowBound) -- C:\WINDOWS\System32\snbd6w9s.dll
[2012/06/04 08:40:45 | 000,282,112 | ---- | C] (AccuSoft Corporation) -- C:\WINDOWS\System32\ACCUISR5.DLL
[2012/06/04 08:40:45 | 000,263,120 | ---- | C] (Bits Per Second Ltd) -- C:\WINDOWS\System32\Gswag32.dll
[2012/06/04 08:40:45 | 000,104,384 | ---- | C] (Bits Per Second Ltd) -- C:\WINDOWS\System32\Gswdll32.dll
[2012/06/04 05:10:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/06/03 15:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Antivirus logs
[2012/06/03 08:12:11 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/05/31 23:45:22 | 000,677,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstsc.exe
[2012/05/31 23:45:22 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aaclient.dll
[2012/05/31 23:45:22 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsgqec.dll
[2012/05/31 23:20:46 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$950099Uinstall_KB968930$
[2012/05/31 23:19:42 | 000,368,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmRes.dll
[2012/05/31 23:19:42 | 000,233,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrscmd.dll
[2012/05/31 23:19:42 | 000,225,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsmanhttpconfig.exe
[2012/05/31 23:19:42 | 000,209,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmWmiPl.dll
[2012/05/31 23:19:42 | 000,144,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmSelPl.dll
[2012/05/31 23:19:42 | 000,139,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmAuto.dll
[2012/05/31 23:19:42 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrs.exe
[2012/05/31 23:19:42 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrmprov.dll
[2012/05/31 23:19:42 | 000,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrshost.exe
[2012/05/31 23:19:42 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsmprovhost.exe
[2012/05/31 23:19:42 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsmplpxy.dll
[2012/05/31 23:19:42 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrssrv.dll
[2012/05/31 23:19:42 | 000,003,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmSelrr.dll
[2012/05/31 23:19:42 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrsmgr.dll
[2012/05/31 23:19:41 | 000,178,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wevtfwd.dll
[2012/05/31 23:19:41 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wecutil.exe
[2012/05/31 23:19:41 | 000,070,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wecapi.dll
[2012/05/31 23:19:40 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\pwrshplugin.dll
[2012/05/31 21:35:27 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll
[2012/05/31 21:25:58 | 000,421,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2012/05/31 21:23:39 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2012/05/31 21:23:02 | 000,647,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcrt4.dll
[2012/05/31 21:22:40 | 000,888,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40.dll
[2012/05/31 21:22:40 | 000,888,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2012/05/31 21:21:58 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\system.security.dll
[2012/05/31 21:21:58 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspnet_filter.dll
[2012/05/31 21:19:16 | 000,439,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2012/05/31 21:19:16 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdbss.sys
[2012/05/31 21:18:50 | 002,067,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll
[2012/05/31 21:18:42 | 000,134,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ksecdd.sys
[2012/05/31 21:18:42 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wdigest.dll
[2012/05/31 21:18:42 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\secur32.dll
[2012/05/31 21:18:21 | 000,282,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmpdxm.dll
[2012/05/31 21:18:15 | 006,057,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmp.dll
[2012/05/31 21:18:02 | 001,165,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42u.dll
[2012/05/31 21:18:02 | 001,163,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2012/05/31 21:17:43 | 000,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqlogmgr.dll
[2012/05/31 21:17:43 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqbkup.exe
[2012/05/31 21:17:43 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqise.dll
[2012/05/31 21:17:42 | 000,240,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqoa.dll
[2012/05/31 21:17:42 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqtgsvc.exe
[2012/05/31 21:17:42 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqgentr.dll
[2012/05/31 21:17:42 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqcertui.dll
[2012/05/31 21:17:42 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqsvc.exe
[2012/05/31 21:17:41 | 000,155,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqad.dll
[2012/05/31 21:17:41 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqtrig.dll
[2012/05/31 21:17:41 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqac.sys
[2012/05/31 21:17:41 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqperf.dll
[2012/05/31 21:17:40 | 000,200,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqads.dll
[2012/05/31 21:17:40 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqdssvc.exe
[2012/05/31 21:17:40 | 000,054,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqupgrd.dll
[2012/05/31 21:17:40 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqdssrv.dll
[2012/05/31 21:17:40 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqdscli.dll
[2012/05/31 21:17:39 | 000,836,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqqm.dll
[2012/05/31 21:17:39 | 000,540,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqsnap.dll
[2012/05/31 21:17:39 | 000,142,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqsec.dll
[2012/05/31 21:17:39 | 000,125,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqrtdep.dll
[2012/05/31 21:17:38 | 000,180,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqrt.dll
[2012/05/31 21:17:29 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avifil32.dll
[2012/05/31 21:17:29 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iyuv_32.dll
[2012/05/31 21:17:29 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msvidc32.dll
[2012/05/31 21:17:29 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msrle32.dll
[2012/05/31 21:17:29 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsbyuv.dll
[2012/05/31 21:17:12 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2012/05/31 21:17:06 | 000,241,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\httpext.dll
[2012/05/31 21:17:03 | 000,762,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2012/05/31 21:15:40 | 000,103,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[2012/05/31 21:15:23 | 000,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftpsvc2.dll
[2012/05/31 21:15:20 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2012/05/31 21:14:47 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mf3216.dll
[2012/05/31 21:14:35 | 000,583,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2012/05/31 21:13:26 | 000,109,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2012/05/31 21:12:28 | 000,228,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmasf.dll
[2012/05/31 21:11:56 | 002,491,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2012/05/31 21:11:48 | 000,817,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2012/05/31 21:11:48 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sc.exe
[2012/05/31 21:11:46 | 002,342,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2012/05/31 21:11:31 | 002,451,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2012/05/31 21:11:24 | 002,302,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2012/05/31 21:10:21 | 002,527,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorsvr.dll
[2012/05/31 21:10:21 | 002,514,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorwks.dll
[2012/05/31 21:10:21 | 002,142,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorlib.dll
[2012/05/31 21:10:21 | 001,269,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\system.web.dll
[2012/05/31 21:10:21 | 001,232,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sy52106.dll
[2012/05/31 21:10:21 | 000,258,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspnet_isapi.dll
[2012/05/31 21:10:21 | 000,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorld.dll
[2012/05/31 21:10:21 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorie.dll
[2012/05/31 21:10:21 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\corperfmonext.dll
[2012/05/31 21:10:21 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorsn.dll
[2012/05/31 21:10:21 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspnet_wp.exe
[2012/05/31 21:09:51 | 000,315,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorjit.dll
[2012/05/31 21:09:45 | 002,064,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\system.windows.forms.dll
[2012/05/31 21:09:09 | 000,510,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab32.dll
[2012/05/31 21:09:02 | 000,695,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2012/05/31 21:08:52 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2012/05/31 21:08:30 | 002,854,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msi.dll
[2012/05/31 21:07:09 | 000,152,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2012/05/31 20:55:00 | 000,021,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2012/05/31 20:54:52 | 000,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/05/31 17:16:45 | 000,138,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dpcdll.dll
[2012/05/31 17:10:39 | 000,145,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msls31.dll
[2012/05/31 08:13:22 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/05/31 08:11:38 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/05/31 08:07:04 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2012/05/31 08:07:03 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2012/05/31 08:06:53 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2012/05/31 08:05:18 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2012/05/31 08:05:18 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2012/05/31 08:05:17 | 002,000,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2012/05/31 08:05:16 | 011,082,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2012/05/31 08:05:16 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2012/05/30 23:17:55 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/05/30 23:16:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\Start Menu\Programs\Citrix
[2012/05/30 23:16:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Downloads
[2012/05/30 23:15:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\Start Menu\Programs\Google Chrome
[2012/05/30 07:28:47 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\dds.scr
[2012/05/30 00:48:04 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/29 23:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/05/29 23:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/05/29 23:52:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/05/29 12:53:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\corebins
[2012/05/29 12:40:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/05/29 11:31:04 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2012/05/29 11:30:53 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2012/05/27 19:39:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\kk
[2012/05/27 19:39:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\bb
[2012/05/27 19:38:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\193805
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/05 08:08:32 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\OTL.exe
[2012/06/05 08:06:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1364589140-1801674531-1686UA.job
[2012/06/05 08:05:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/06/05 07:00:08 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/06/05 07:00:06 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/06/05 06:56:32 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\bjsdop.sys
[2012/06/05 00:53:07 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/05 00:53:07 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/04 18:06:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1364589140-1801674531-1686Core.job
[2012/06/04 09:00:06 | 000,000,634 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\CWTIA.lnk
[2012/06/04 08:59:38 | 000,000,634 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\Chuck.lnk
[2012/06/04 08:44:11 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/06/04 08:19:45 | 000,102,248 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\GoToAssistDownloadHelper.exe
[2012/06/04 02:01:07 | 000,611,391 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/06/04 01:55:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/04 01:53:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/04 01:53:04 | 000,000,496 | ---- | M] () -- C:\WINDOWS\DCEBOOT.RST
[2012/06/04 01:48:04 | 000,102,400 | ---- | M] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2012/06/04 01:40:50 | 000,317,310 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\census.cache
[2012/06/04 01:40:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\ars.cache
[2012/06/03 15:07:22 | 000,002,629 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\DameWare NT Utilities.lnk
[2012/06/03 15:07:02 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\housecall.guid.cache
[2012/06/02 07:51:31 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2012/06/02 06:48:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defragd.job
[2012/05/31 23:45:47 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/05/31 23:09:45 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/31 20:35:16 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/05/31 17:17:52 | 000,001,367 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Security Configuration Wizard.lnk
[2012/05/31 07:49:31 | 000,722,432 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Administrator.STONE-TAPERT\gotomypc_428.exe
[2012/05/31 07:46:40 | 000,057,344 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\g2mdlhlpx.exe
[2012/05/31 07:21:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/30 23:16:03 | 000,110,456 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\g2ax_customer_downloadhelper_win32_x86.exe
[2012/05/30 23:15:31 | 000,002,417 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/05/30 07:31:13 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\86nloyr3.exe
[2012/05/30 07:28:03 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\dds.scr
[2012/05/30 07:26:50 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Defogger.exe
[2012/05/30 00:48:04 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/30 00:48:04 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/05/29 12:48:04 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2012/05/29 12:46:26 | 001,572,918 | ---- | M] () -- C:\WINDOWS\BGInfo.bmp
[2012/05/29 12:46:24 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\Default
[2012/05/29 12:45:58 | 000,002,838 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/05/29 12:36:22 | 000,000,457 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/05/29 12:33:11 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/05/29 12:33:11 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/05/29 12:33:06 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2012/05/29 12:19:52 | 000,023,760 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/05/29 12:18:25 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\Remote Desktop Connection.lnk
[2012/05/29 12:16:26 | 000,000,208 | -HS- | M] () -- C:\boot.ini
[2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) -- C:\WINDOWS\System32\drivers\percsas.sys
[2012/05/27 19:41:17 | 001,053,240 | ---- | M] () -- C:\WINDOWS\setupapi.old
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/05 06:56:32 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\bjsdop.sys
[2012/06/04 09:00:06 | 000,000,634 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\CWTIA.lnk
[2012/06/04 08:59:38 | 000,000,634 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\Chuck.lnk
[2012/06/04 08:19:45 | 000,102,248 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\GoToAssistDownloadHelper.exe
[2012/06/04 01:53:01 | 000,000,496 | ---- | C] () -- C:\WINDOWS\DCEBOOT.RST
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/06/04 01:40:50 | 000,317,310 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\census.cache
[2012/06/04 01:40:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\ars.cache
[2012/06/03 15:07:02 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\housecall.guid.cache
[2012/05/31 23:19:42 | 000,002,426 | ---- | C] () -- C:\WINDOWS\System32\WsmTxt.xsl
[2012/05/31 23:19:42 | 000,001,559 | ---- | C] () -- C:\WINDOWS\System32\WsmPty.xsl
[2012/05/31 23:19:42 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\winrmprov.mof
[2012/05/31 23:19:42 | 000,000,696 | ---- | C] () -- C:\WINDOWS\System32\WsmSelRg.xml
[2012/05/31 23:19:41 | 000,201,184 | ---- | C] () -- C:\WINDOWS\System32\winrm.vbs
[2012/05/31 23:19:41 | 000,000,035 | ---- | C] () -- C:\WINDOWS\System32\winrm.cmd
[2012/05/31 21:25:59 | 000,735,440 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msimain.sdb
[2012/05/31 21:10:21 | 000,066,600 | ---- | C] () -- C:\WINDOWS\System32\dllcache\togac.exe
[2012/05/31 21:10:21 | 000,066,600 | ---- | C] () -- C:\WINDOWS\System32\dllcache\setregni.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/31 07:19:50 | 000,002,629 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\DameWare NT Utilities.lnk
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/30 23:15:31 | 000,002,417 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/05/30 07:31:17 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\86nloyr3.exe
[2012/05/30 07:28:49 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Defogger.exe
[2012/05/30 00:48:05 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/29 12:46:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\Default
[2012/05/29 11:30:07 | 000,112,975 | ---- | C] () -- C:\WINDOWS\System32\dllcache\UDDI.CAT
[2012/05/29 11:30:07 | 000,082,025 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sasetup.CAT
[2012/05/29 11:30:07 | 000,071,199 | ---- | C] () -- C:\WINDOWS\System32\dllcache\adminpak.CAT
[2012/05/29 11:30:07 | 000,066,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NETFX.CAT
[2012/05/29 11:30:07 | 000,030,616 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SCW.CAT
[2012/05/29 11:30:07 | 000,023,518 | ---- | C] () -- C:\WINDOWS\System32\dllcache\admt.cat
[2012/05/29 11:30:07 | 000,022,310 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FXSCAT.CAT
[2012/05/29 11:30:06 | 000,067,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP5.CAT
[2012/05/29 11:30:06 | 000,015,770 | ---- | C] () -- C:\WINDOWS\System32\dllcache\INS.CAT
[2012/05/29 11:30:06 | 000,014,610 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2012/05/29 11:30:06 | 000,010,172 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2012/05/29 11:30:06 | 000,008,571 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2012/05/29 11:30:05 | 001,994,359 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2012/05/29 11:30:05 | 001,402,437 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2012/05/29 11:30:05 | 000,682,720 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2012/03/05 09:55:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\hex1.exe
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini

< End of report >


Extras:
OTL Extras logfile created on: 6/5/2012 8:08:47 AM - Run 1
OTL by OldTimer - Version 3.2.46.1 Folder = C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.54 Gb Available Physical Memory | 26.83% Memory free
5.35 Gb Paging File | 2.99 Gb Available in Paging File | 55.86% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 89.23 Gb Free Space | 65.90% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 184.97 Gb Free Space | 33.97% Space Free | Partition Type: NTFS
Drive G: | 544.49 Gb Total Space | 184.97 Gb Free Space | 33.97% Space Free | Partition Type: NTFS
Drive H: | 544.49 Gb Total Space | 184.97 Gb Free Space | 33.97% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "D:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "D:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"123:UDP" = 123:UDP:*:Enabled:NTP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"d:\Program Files\Symantec\Backup Exec\pvlsvr.exe" = d:\Program Files\Symantec\Backup Exec\pvlsvr.exe:*:Enabled:Backup Exec Device & Media Service -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\beserver.exe" = d:\Program Files\Symantec\Backup Exec\beserver.exe:*:Enabled:Backup Exec Server -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\bengine.exe" = d:\Program Files\Symantec\Backup Exec\bengine.exe:*:Enabled:Backup Exec Job Engine -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\beremote.exe" = d:\Program Files\Symantec\Backup Exec\beremote.exe:*:Enabled:Backup Exec Remote Agent for Windows Systems -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\benetns.exe" = d:\Program Files\Symantec\Backup Exec\benetns.exe:*:Enabled:Backup Exec Agent Browser -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\alertServer.exe" = d:\Program Files\Symantec\Backup Exec\alertServer.exe:*:Enabled:Backup Exec Alert Server

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"d:\Program Files\Symantec\Backup Exec\pvlsvr.exe" = d:\Program Files\Symantec\Backup Exec\pvlsvr.exe:*:Enabled:Backup Exec Device & Media Service -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\beserver.exe" = d:\Program Files\Symantec\Backup Exec\beserver.exe:*:Enabled:Backup Exec Server -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\bengine.exe" = d:\Program Files\Symantec\Backup Exec\bengine.exe:*:Enabled:Backup Exec Job Engine -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\beremote.exe" = d:\Program Files\Symantec\Backup Exec\beremote.exe:*:Enabled:Backup Exec Remote Agent for Windows Systems -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\benetns.exe" = d:\Program Files\Symantec\Backup Exec\benetns.exe:*:Enabled:Backup Exec Agent Browser -- (Symantec Corporation)
"d:\Program Files\Symantec\Backup Exec\alertServer.exe" = d:\Program Files\Symantec\Backup Exec\alertServer.exe:*:Enabled:Backup Exec Alert Server


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{04F59FC7-E7CB-4E48-8923-62E7A436A5AE}" = AAStationInstallConditions
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0ADA2703-45D1-4B0D-9BBB-3DF83C6E7F99}" = AdvisorsAssistantFileTransfer
"{0D61D68B-DF5E-4635-82C7-B0C53F0A581B}" = Microsoft SQL Server 2005 Backward compatibility
"{0DAA9912-3FE2-4B84-B926-8D7F71A8A99A}" = Microsoft SQL Server 2005 Reporting Services (ADVISORSASSIST)
"{21B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{25331195-4E18-11D7-9D73-0008C7223F91}" = Zoom V.92 PCI Voice Faxmodem
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 21
"{26A24AE4-039D-4CA4-87B4-2F83217003FF}" = Java™ 7 Update 3
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (BKUPEXEC)
"{314D881D-384C-4A04-993D-F0876D21EAA5}" = Symantec Backup Exec for Windows Servers (Hotfix 10)
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3A0E46D2-D124-48A4-A936-9729FB7715FE}" = Symantec Backup Exec for Windows Servers (Hotfix 20)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40DA090B-64E9-41C9-BC16-6D3BEA5A8E16}" = Symantec Backup Exec for Windows Servers (Hotfix 30)
"{40E27BC4-2003-41C7-B4D3-E636B8DAF969}" = AAUpdateConditions
"{41A01180-D9FD-3428-9FD6-749F4C637CBF}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"{44025E80-44C3-416F-98DC-AE09CCFD57FD}" = Advisors Assistant Version 2 Conversion
"{47653B97-E079-454D-8DB9-B323E388FF93}" = Symantec Endpoint Protection Manager
"{4966AE07-55D8-4D91-85A1-0F97A4DDA603}" = Symantec Backup Exec for Windows Servers (Hotfix 6)
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50BC2CC7-C3E0-4ADB-B5A1-C26CDAA9A99F}" = Symantec Backup Exec for Windows Servers (Hotfix 38)
"{51C3F2C4-2FD8-48C1-8301-E660A6A84992}" = Symantec Backup Exec for Windows Servers (Hotfix 9)
"{520C5E07-E4D0-407D-B94D-E9F2D9208016}" = Acronis True Image Echo Enterprise Server
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5A1A9AB2-2F68-462D-A67D-7C855DFF5EEB}" = Microsoft Network Monitor: NetworkMonitor Parsers 3.4
"{5D42FAD4-3C0B-4CA8-B840-205B83A06125}" = Symantec Backup Exec for Windows Servers (Hotfix 2)
"{5E9E538A-308B-4342-A54E-CE3A8015DB18}" = Advisors Assistant Server Utilities
"{63934E99-A4F7-478C-8BB0-259BB9D78FFF}" = Microsoft Report Viewer Redistributable 2005
"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (PRESENTS)
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{76CF1D9F-2285-48A5-B897-6EB978B221AA}" = Symantec Backup Exec for Windows Servers (Hotfix 13)
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{89C7A9F7-2C31-4739-842D-F037B6C9B674}" = Dell OpenManage Server Administrator
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{905D1B7B-FC03-4A5E-9198-143CA02D9059}" = Advisors Assistant Server Component
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{9111DFCB-DDB2-4E49-8DF7-91F623D14BF6}" = Symantec Backup Exec for Windows Servers (Hotfix 29)
"{91B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{92FCCD86-7737-41CC-A700-7FE6015CE01A}" = Symantec Backup Exec for Windows Servers (Hotfix 27)
"{9A6329B8-9383-4D6F-BC0B-9E8CB1F8B5EA}" = Advisors Assistant Station Program
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CDD9119-D625-4B91-B2D1-11C08D485E44}" = Symantec Backup Exec for Windows Servers (Hotfix 15)
"{9DA4493A-480C-4554-A02C-4B542D33A1D9}" = ManageEngine NetFlow Analyzer 7.5
"{A2F2C44A-869E-4C32-9CEC-E22B1CC91F06}" = Microsoft Network Monitor 3.4
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A98AFBC7-D5A7-46A1-8795-EABE2F55A7D6}" = Microsoft Office Live Meeting 2007
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B0F9497C-52B4-4686-8E73-74D866BBDF59}" = Microsoft SQL Server 2005 (ADVISORSASSIST)
"{B3C91427-E6A6-405C-980E-1EB3AE1F041D}" = Symantec Backup Exec for Windows Servers (Hotfix 16)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BA62EF4E-BD43-4BF8-B10A-72B79ABE195B}" = Symantec Backup Exec for Windows Servers (Service Pack 3)
"{BAAB98AF-E4B6-4A2F-A3D7-296BADB7FE2E}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BEA465C8-2923-42C6-9141-BE44739A6A80}" = Symantec Backup Exec for Windows Servers
"{BEE9E48B-BA8F-48DC-A63E-E0FD477A8FCB}" = Symantec Backup Exec for Windows Servers (Hotfix 11)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}" = Symantec Endpoint Protection
"{C3F5DBA5-ABFC-443E-AA60-928223AADF53}" = Microsoft SQL Server 2005
"{CA3553E0-191B-4E2F-AD3C-82E33CB9D4E4}" = Microsoft Group Policy Management Console with SP1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0FAC044-FBEC-4605-9649-9BF12D977E87}" = Symantec Backup Exec for Windows Servers (Hotfix 24)
"{D147EA10-4361-41A7-A4DB-D84024D06D35}" = Symantec Backup Exec for Windows Servers (Hotfix 35)
"{D6AFA160-5CF3-4C84-A2E6-18615BE014D9}" = ManageEngine OpManager 8.0
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{DFC22BCF-1371-4DF5-B8D3-E2F3B4CCB19A}" = Symantec Backup Exec for Windows Servers (Hotfix 21)
"{E0B27188-A15E-4C64-AE49-85E8EF46184B}" = Reporting Agents (Symantec Corporation)
"{E1A85893-2CF7-4155-9731-453B858A07B0}" = Symantec Backup Exec for Windows Servers (Hotfix 23)
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E65928F8-937C-476E-83CB-16CC3376BA8A}" = Symantec Backup Exec for Windows Servers (Service Pack 2)
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{EA687A74-7AE0-4CB2-B01F-303748E7D5A9}" = Symantec Backup Exec for Windows Servers (Service Pack 1)
"{EA98753C-CB1C-4216-AC09-7EC3D3F62BAF}" = DameWare NT Utilities
"{F07F0BCD-5C6D-4499-9F05-6ED747078A72}" = Windows Support Tools
"{F0E8F664-CAC6-4104-A4F9-4373F0633495}" = Acronis Disk Director Server
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{FF7CF098-176D-4C8E-A39C-E33074252ED8}" = Symantec Backup Exec for Windows Servers (Hotfix 19)
"9161A261-6ABE-4668-BBFA-AD06B3F642CF" = Microsoft Exchange
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced IP Scanner v1.5" = Advanced IP Scanner v1.5
"Advanced Mass Sender 4.3" = Advanced Mass Sender 4.3
"Advisors Assistant 2.8" = Advisors Assistant 2.8
"ATI Display Driver" = ATI Display Driver
"ESET Online Scanner" = ESET Online Scanner v3
"GoToAssist" = GoToAssist Corporate
"GoToAssist Express Customer" = GoToAssist Customer 1.6.0.403
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Report Viewer Redistributable 2005" = Microsoft Report Viewer Redistributable 2005
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2010 Tools for Office Runtime (x86)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"Symantec Backup Exec 11.0" = Symantec Backup Exec ™ 11d for Windows Servers
"Unlocker" = Unlocker 1.8.7
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/4/2012 11:19:11 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWH5553.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/4/2012 11:19:12 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWH5EB4.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/4/2012 11:19:14 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWH9574.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/4/2012 11:19:15 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWHB928.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/4/2012 11:19:17 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWHCE0D.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/4/2012 11:19:19 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWHD878.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/4/2012 11:19:20 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWHF145.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/4/2012 11:19:22 PM | Computer Name = ST-SERVER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\Documents and Settings\Administrator.STONE-TAPERT\Local
Settings\Temp\DWHFFA7.tmp by: Scheduled scan. Action: Quarantine succeeded. Action
Description: The file was quarantined successfully.

Error - 6/5/2012 1:30:38 AM | Computer Name = ST-SERVER | Source = Backup Exec | ID = 57860
Description = An error occurred while attempting to log in to the following server:
"ST-SERVER". SQL error number: "000E". SQL error message: "[DBNETLIB][ConnectionOpen
(Invalid Instance()).]Invalid connection. ". For more information, click the following
link: http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml

Error - 6/5/2012 4:57:48 AM | Computer Name = ST-SERVER | Source = Report Server Windows Service (ADVISORSASSIST) | ID = 107
Description = Report Server Windows Service (ADVISORSASSIST) cannot connect to the
report server database.

[ Directory Service Events ]
Error - 5/29/2012 5:27:09 PM | Computer Name = ST-SERVER | Source = NTDS Replication | ID = 2426919
Description =

Error - 5/29/2012 5:34:12 PM | Computer Name = ST-SERVER | Source = NTDS Inter-site Messaging | ID = 1866
Description = The Intersite Messaging service received the following extended error
string information from LDAP. Extended error string: Additional Data LDAP error value:
34
Unavailable WIN32 extended error value: 0 The operation completed successfully.

Error - 5/29/2012 5:34:12 PM | Computer Name = ST-SERVER | Source = NTDS Inter-site Messaging | ID = 1866
Description = The Intersite Messaging service received the following extended error
string information from LDAP. Extended error string: Additional Data LDAP error value:
51
Server Down WIN32 extended error value: 0 The operation completed successfully.

Error - 5/29/2012 5:35:14 PM | Computer Name = ST-SERVER | Source = NTDS Inter-site Messaging | ID = 1866
Description = The Intersite Messaging service received the following extended error
string information from LDAP. Extended error string: Additional Data LDAP error value:
51
Server Down WIN32 extended error value: 0 The operation completed successfully.

Error - 5/30/2012 2:25:44 AM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 5/30/2012 2:47:48 AM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 5/30/2012 3:27:10 AM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 5/31/2012 2:43:57 AM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 5/31/2012 3:17:31 AM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

Error - 5/31/2012 4:36:00 AM | Computer Name = ST-SERVER | Source = NTDS Backup | ID = 1913
Description = Internal error: The Active Directory backup and restore operation
encountered an unexpected error. Backup or restore will not succeed until this is
corrected. Additional Data Error value: 1084 This service cannot be started in
Safe Mode Internal ID: 160200fa

[ DNS Server Events ]
Error - 5/29/2012 5:37:39 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 5/29/2012 5:37:39 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 5/29/2012 5:37:39 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone stone-tapert.com. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 5/29/2012 5:40:16 PM | Computer Name = ST-SERVER | Source = DNS | ID = 7502
Description = The DNS server was unable to service a client request due a shortage
of available memory. Close any applications not in use or reboot the computer to
free memory.

Error - 5/29/2012 5:40:39 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4000
Description = The DNS server was unable to open Active Directory. This DNS server
is
configured to obtain and use information from the directory for this zone and is
unable to load the zone without it. Check that the Active Directory is functioning
properly and reload the zone. The event data is the error code.

Error - 5/31/2012 4:02:08 PM | Computer Name = ST-SERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 6/1/2012 2:06:55 AM | Computer Name = ST-SERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 6/1/2012 2:06:55 AM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 6/1/2012 2:06:55 AM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 6/1/2012 2:06:55 AM | Computer Name = ST-SERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone stone-tapert.com. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

[ System Events ]
Error - 6/3/2012 11:07:41 AM | Computer Name = ST-SERVER | Source = TermService | ID = 1041
Description = Autoreconnect failed to reconnect user to session because authentication
failed. (0x0)

Error - 6/3/2012 11:18:49 AM | Computer Name = ST-SERVER | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft SQL Server 2005 Express Edition with Advanced
Services Service Pack 3 (KB955706).

Error - 6/4/2012 4:47:09 AM | Computer Name = ST-SERVER | Source = TermService | ID = 1041
Description = Autoreconnect failed to reconnect user to session because authentication
failed. (0x0)

Error - 6/4/2012 4:53:50 AM | Computer Name = ST-SERVER | Source = WLBS | ID = 458787
Description = NLB Cluster 0.0.0.0 : Cluster mode cannot be enabled due to parameter
errors. All traffic will be passed through to TCP/IP. Restart cluster operations
after fixing the problem by running 'wlbs reload' followed by 'wlbs start'.

Error - 6/4/2012 4:53:50 AM | Computer Name = ST-SERVER | Source = WLBS | ID = 458787
Description = NLB Cluster 0.0.0.0 : Cluster mode cannot be enabled due to parameter
errors. All traffic will be passed through to TCP/IP. Restart cluster operations
after fixing the problem by running 'wlbs reload' followed by 'wlbs start'.

Error - 6/4/2012 4:56:36 AM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7000
Description = The 55A71E73 service failed to start due to the following error: %%2

Error - 6/4/2012 4:56:36 AM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7022
Description = The System Event Notification service hung on starting.

Error - 6/4/2012 4:56:36 AM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7000
Description = The Security Center service failed to start due to the following error:
%%1083

Error - 6/4/2012 4:56:58 AM | Computer Name = ST-SERVER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
crcdisk

Error - 6/4/2012 11:21:47 AM | Computer Name = ST-SERVER | Source = DCOM | ID = 10010
Description = The server {B63661CA-CE82-413D-9999-3456EB4849C5} did not register
with DCOM within the required timeout.


< End of report >

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 05 June 2012 - 12:03 PM

Unfortunately not everything seems clean.

OTL FIX
------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :otl
    DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\55A71E73.sys -- (55A71E73)
    DRV - [2012/06/05 06:56:32 | 000,054,016 | ---- | M] () [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\bjsdop.sys -- (saeifa)
    [2012/06/05 07:00:08 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
    [2012/06/05 07:00:06 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
    
    :commands
    [emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 smilne

smilne
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 June 2012 - 05:16 PM

For the OTL fix, I did not include the lines to remove the scheduled tasks, those relate to the Volume Shadow Copy service and are valid and required. However, when running the OTL fix, it locked up the server and it had to be hard booted; this happened twice. I am not willing to run the OTL fix again as I cannot have the server go down again.

Regarding FSS, I see that it shows a lot of things are disabled and sys files are missing so I ran this scan on another server in the same domain that has not been infected and the logs had similar messages.
Anyway, here is the FSS log:
****************************************************************
Farbar Service Scanner Version: 05-06-2012
Ran by administrator (administrator) on 06-06-2012 at 15:12:11
Running from "C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop"
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.

tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
The ServiceDll of wscsvc: ""C:\WINDOWS\system32\wscsvc.dll"".


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========

ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\afd.sys
[2007-02-18 05:00] - [2011-12-27 07:13] - 0150528 ____A (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B


ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\tcpip.sys
[2007-02-18 05:00] - [2009-08-15 02:57] - 0393216 ____A (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3

C:\WINDOWS\system32\dnsrslvr.dll
[2009-04-20 11:38] - [2009-04-20 11:38] - 0045568 ____A (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B


ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\vssvc.exe
[2007-02-18 05:00] - [2007-02-18 05:00] - 0836096 ____A (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916


ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2007-02-17 07:03] - [2007-02-17 07:03] - 0143360 ____A (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5

C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2007-02-17 07:03] - [2007-02-18 05:00] - 0380928 ____A (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C

C:\WINDOWS\system32\es.dll
[2008-04-29 14:33] - [2008-04-29 14:33] - 0247296 ____A (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C

C:\WINDOWS\system32\cryptsvc.dll
[2007-02-18 05:00] - [2007-02-18 05:00] - 0056320 ____A (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4

C:\WINDOWS\system32\svchost.exe
[2007-02-18 05:00] - [2007-02-18 05:00] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

C:\WINDOWS\system32\rpcss.dll
[2012-05-31 21:11] - [2009-02-09 04:02] - 0486912 ____A (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE



**** End of log ****

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 07 June 2012 - 01:18 AM

Hi, is your internet and related applications running correctly?

Please post me a new OTL log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 smilne

smilne
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 07 June 2012 - 02:39 AM

Yes, everything is running normally and has been stable for about 5 days. Here is the latest OTL log:

OTL logfile created on: 6/6/2012 11:21:42 PM - Run 3
OTL by OldTimer - Version 3.2.46.1 Folder = C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.44 Gb Available Physical Memory | 22.22% Memory free
5.35 Gb Paging File | 3.48 Gb Available in Paging File | 65.12% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 87.66 Gb Free Space | 64.74% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 185.10 Gb Free Space | 34.00% Space Free | Partition Type: NTFS
Drive G: | 544.49 Gb Total Space | 185.10 Gb Free Space | 34.00% Space Free | Partition Type: NTFS
Drive H: | 544.49 Gb Total Space | 185.10 Gb Free Space | 34.00% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/05 08:08:32 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\OTL.exe
PRC - [2012/05/29 23:12:04 | 000,668,536 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_processfactory.exe
PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/04/04 15:56:38 | 000,981,680 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2011/08/19 11:36:52 | 000,078,184 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\736\g2aprocessfactory.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/13 17:26:51 | 000,846,336 | ---- | M] (Sysinternals) -- C:\bginfo\Bginfo.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/12/07 10:14:23 | 000,237,568 | ---- | M] () -- C:\WINDOWS\system32\tardisnt.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:56 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/06 06:49:09 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/06/06 06:49:09 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/06/06 06:49:07 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/06/06 06:49:06 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/06/06 06:49:05 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/06/06 06:49:04 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/06/06 06:49:02 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/06/06 06:49:00 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/06/06 06:48:59 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/06/06 06:48:58 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/06/06 06:48:57 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-2760\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/05/31 23:16:39 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\7861cd979ea5db3fb7d30ed94fb0edd2\System.Web.ni.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:16 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8dc4a28c456f81ee7399da21bd9d55aa\System.ServiceProcess.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2012/05/31 23:02:33 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/05/31 23:02:31 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/05/31 23:02:30 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/05/31 23:02:25 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/05/31 23:02:21 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/05/31 23:02:20 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/05/31 23:02:18 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/05/31 23:01:54 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2008/05/01 21:15:37 | 000,010,240 | ---- | M] () -- D:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2007/12/07 10:14:23 | 000,237,568 | ---- | M] () -- C:\WINDOWS\system32\tardisnt.exe
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- "C:\WINDOWS\system32\wscsvc.dll" -- (wscsvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS) Windows Internet Name Service (WINS)
SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [On_Demand | Stopped] -- C:\TEMP\Clt-Inst\vpremote.exe -- (VPREMOTE)
SRV - [2012/05/30 23:16:30 | 000,609,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_service.exe -- (GoToAssist Express Customer)
SRV - [2012/05/30 00:48:05 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2011/08/19 11:36:52 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\736\g2aservice.exe -- (GoToAssist)
SRV - [2010/12/10 19:29:30 | 000,044,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/07/28 09:15:56 | 000,135,680 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/12/07 10:14:23 | 000,237,568 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\tardisnt.exe -- (Tardis)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/10/30 13:42:12 | 000,225,792 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,348,160 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA)
SRV - [2007/02/18 05:00:00 | 000,343,552 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,157,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2007/02/18 05:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm)
SRV - [2007/02/18 05:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE)
SRV - [2007/02/18 05:00:00 | 000,096,256 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,075,776 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr)
SRV - [2007/02/18 05:00:00 | 000,074,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger)
SRV - [2007/02/18 05:00:00 | 000,032,256 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2007/02/18 05:00:00 | 000,018,944 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\55A71E73.sys -- (55A71E73)
DRV - [2012/06/06 21:57:05 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/06/06 12:13:42 | 000,054,016 | ---- | M] () [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\nogshd.sys -- (iyofq)
DRV - [2012/05/30 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/05/30 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2012/05/15 01:00:00 | 001,589,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120606.020\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/05/15 01:00:00 | 000,087,928 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120606.020\NAVENG.SYS -- (NAVENG)
DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/12/12 19:23:14 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2007/02/18 05:00:00 | 000,708,608 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2007/02/18 05:00:00 | 000,268,288 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,151,040 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\fastfat.sys -- (Fastfat)
DRV - [2007/02/18 05:00:00 | 000,134,144 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,121,856 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\pcmcia.sys -- (Pcmcia)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,067,584 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\udfs.sys -- (Udfs)
DRV - [2007/02/18 05:00:00 | 000,057,088 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\aic78xx.sys -- (aic78xx)
DRV - [2007/02/18 05:00:00 | 000,055,296 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\aic78u2.sys -- (aic78u2)
DRV - [2007/02/18 05:00:00 | 000,054,272 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k)
DRV - [2007/02/18 05:00:00 | 000,050,688 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,048,640 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160)
DRV - [2007/02/18 05:00:00 | 000,043,520 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\arc.sys -- (arc)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,041,472 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080)
DRV - [2007/02/18 05:00:00 | 000,041,472 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql1240.sys -- (ql1240)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,036,352 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,034,304 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql10wnt.sys -- (Ql10wnt)
DRV - [2007/02/18 05:00:00 | 000,031,744 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2007/02/18 05:00:00 | 000,029,184 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra)
DRV - [2007/02/18 05:00:00 | 000,028,288 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\perc2.sys -- (perc2)
DRV - [2007/02/18 05:00:00 | 000,028,160 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,026,880 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpn.sys -- (hpn)
DRV - [2007/02/18 05:00:00 | 000,026,624 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,023,552 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpcisss.sys -- (hpcisss)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\i2omp.sys -- (i2omp)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dac960nt.sys -- (dac960nt)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\cbidf2k.sys -- (cbidf2k)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cbidf2k.sys -- (cbidf)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/18 05:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\acpiec.sys -- (ACPIEC)
DRV - [2007/02/18 05:00:00 | 000,009,216 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cd20xrnt.sys -- (cd20xrnt)
DRV - [2007/02/18 05:00:00 | 000,009,216 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde)
DRV - [2007/02/18 05:00:00 | 000,008,704 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\parvdm.sys -- (Parvdm)
DRV - [2007/02/18 05:00:00 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\intelide.sys -- (IntelIde)
DRV - [2007/02/18 05:00:00 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\amdide.sys -- (AmdIde)
DRV - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\viaide.sys -- (ViaIde)
DRV - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\toside.sys -- (TosIde)
DRV - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde)
DRV - [2007/02/18 05:00:00 | 000,006,272 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\perc2hib.sys -- (perc2hib)
DRV - [2007/02/16 22:58:58 | 000,096,256 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\nv_agp.sys -- (nv_agp)
DRV - [2007/02/16 22:58:57 | 000,047,616 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\uliagpkx.sys -- (uliagpkx)
DRV - [2007/02/16 22:58:54 | 000,044,032 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp)
DRV - [2007/02/16 22:58:54 | 000,043,520 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\viaagp.sys -- (viaagp)
DRV - [2007/02/16 22:58:53 | 000,046,080 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\agpcpq.sys -- (agpCPQ)
DRV - [2007/02/16 22:58:53 | 000,044,544 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\alim1541.sys -- (alim1541)
DRV - [2007/02/16 22:58:53 | 000,044,032 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\agp440.sys -- (agp440)
DRV - [2007/02/16 22:58:53 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = C:\dell\homepage\dellhome.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = C:\dell\homepage\dellhome.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-1364589140-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..\SearchScopes,DefaultScope = {87D89A37-942A-46EF-B47A-BC19FA133CAD}
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..\SearchScopes\{87D89A37-942A-46EF-B47A-BC19FA133CAD}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-507921405-1364589140-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll File not found



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java™ Platform SE 7 U3 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2005/03/25 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Config] C:\WINDOWS\Config\svchsot.exe File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\.DEFAULT..\Run: [] File not found
O4 - HKU\.DEFAULT..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe File not found
O4 - HKU\S-1-5-18..\Run: [] File not found
O4 - HKU\S-1-5-18..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe File not found
O4 - HKU\S-1-5-21-507921405-1364589140-1801674531-500..\Run: [] File not found
O4 - HKU\.DEFAULT..\RunOnce: [] File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe -update activex File not found
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [] File not found
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe -update activex File not found
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-507921405-1364589140-1801674531-1003..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1364589140-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1364589140-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\S-1-5-21-507921405-1364589140-1801674531-500\..Trusted Domains: livemeeting.com ([]* in Trusted sites)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\736\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\736\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\GoToAssist Express Customer: DllName - (C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_winlogon.dll) - C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1994/02/25 13:30:36 | 000,000,000 | R--- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{20e55976-91e6-11db-9db9-00188b42e686}\Shell - "" = AutoRun
O33 - MountPoints2\{20e55976-91e6-11db-9db9-00188b42e686}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{20e55976-91e6-11db-9db9-00188b42e686}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{87fccf3f-39f7-11dc-a0f6-00188b42e686}\Shell - "" = AutoRun
O33 - MountPoints2\{87fccf3f-39f7-11dc-a0f6-00188b42e686}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{87fccf3f-39f7-11dc-a0f6-00188b42e686}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/06 18:56:56 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/06/05 10:08:20 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/06/05 08:08:03 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\OTL.exe
[2012/06/04 08:40:46 | 000,000,000 | ---D | C] -- C:\Program Files\Advisors Assistant
[2012/06/04 08:40:45 | 000,468,928 | ---- | C] (Bits Per Second Ltd) -- C:\WINDOWS\System32\Gsw32.exe
[2012/06/04 08:40:45 | 000,325,120 | ---- | C] (SnowBound) -- C:\WINDOWS\System32\snbd6w9s.dll
[2012/06/04 08:40:45 | 000,282,112 | ---- | C] (AccuSoft Corporation) -- C:\WINDOWS\System32\ACCUISR5.DLL
[2012/06/04 08:40:45 | 000,263,120 | ---- | C] (Bits Per Second Ltd) -- C:\WINDOWS\System32\Gswag32.dll
[2012/06/04 08:40:45 | 000,104,384 | ---- | C] (Bits Per Second Ltd) -- C:\WINDOWS\System32\Gswdll32.dll
[2012/06/03 15:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Antivirus logs
[2012/06/03 08:12:11 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/05/31 23:45:22 | 000,677,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstsc.exe
[2012/05/31 23:45:22 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aaclient.dll
[2012/05/31 23:45:22 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsgqec.dll
[2012/05/31 23:20:46 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$950099Uinstall_KB968930$
[2012/05/31 23:19:42 | 000,368,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmRes.dll
[2012/05/31 23:19:42 | 000,233,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrscmd.dll
[2012/05/31 23:19:42 | 000,225,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsmanhttpconfig.exe
[2012/05/31 23:19:42 | 000,209,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmWmiPl.dll
[2012/05/31 23:19:42 | 000,144,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmSelPl.dll
[2012/05/31 23:19:42 | 000,139,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmAuto.dll
[2012/05/31 23:19:42 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrs.exe
[2012/05/31 23:19:42 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrmprov.dll
[2012/05/31 23:19:42 | 000,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrshost.exe
[2012/05/31 23:19:42 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsmprovhost.exe
[2012/05/31 23:19:42 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsmplpxy.dll
[2012/05/31 23:19:42 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrssrv.dll
[2012/05/31 23:19:42 | 000,003,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WsmSelrr.dll
[2012/05/31 23:19:42 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrsmgr.dll
[2012/05/31 23:19:41 | 000,178,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wevtfwd.dll
[2012/05/31 23:19:41 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wecutil.exe
[2012/05/31 23:19:41 | 000,070,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wecapi.dll
[2012/05/31 23:19:40 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\pwrshplugin.dll
[2012/05/31 21:35:27 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll
[2012/05/31 21:25:58 | 000,421,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2012/05/31 21:23:39 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2012/05/31 21:23:02 | 000,647,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcrt4.dll
[2012/05/31 21:22:40 | 000,888,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40.dll
[2012/05/31 21:22:40 | 000,888,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2012/05/31 21:21:58 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\system.security.dll
[2012/05/31 21:21:58 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspnet_filter.dll
[2012/05/31 21:19:16 | 000,439,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2012/05/31 21:19:16 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdbss.sys
[2012/05/31 21:18:50 | 002,067,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll
[2012/05/31 21:18:42 | 000,134,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ksecdd.sys
[2012/05/31 21:18:42 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wdigest.dll
[2012/05/31 21:18:42 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\secur32.dll
[2012/05/31 21:18:21 | 000,282,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmpdxm.dll
[2012/05/31 21:18:15 | 006,057,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmp.dll
[2012/05/31 21:18:02 | 001,165,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42u.dll
[2012/05/31 21:18:02 | 001,163,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2012/05/31 21:17:43 | 000,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqlogmgr.dll
[2012/05/31 21:17:43 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqbkup.exe
[2012/05/31 21:17:43 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqise.dll
[2012/05/31 21:17:42 | 000,240,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqoa.dll
[2012/05/31 21:17:42 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqtgsvc.exe
[2012/05/31 21:17:42 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqgentr.dll
[2012/05/31 21:17:42 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqcertui.dll
[2012/05/31 21:17:42 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqsvc.exe
[2012/05/31 21:17:41 | 000,155,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqad.dll
[2012/05/31 21:17:41 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqtrig.dll
[2012/05/31 21:17:41 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqac.sys
[2012/05/31 21:17:41 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqperf.dll
[2012/05/31 21:17:40 | 000,200,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqads.dll
[2012/05/31 21:17:40 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqdssvc.exe
[2012/05/31 21:17:40 | 000,054,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqupgrd.dll
[2012/05/31 21:17:40 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqdssrv.dll
[2012/05/31 21:17:40 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqdscli.dll
[2012/05/31 21:17:39 | 000,836,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqqm.dll
[2012/05/31 21:17:39 | 000,540,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqsnap.dll
[2012/05/31 21:17:39 | 000,142,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqsec.dll
[2012/05/31 21:17:39 | 000,125,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqrtdep.dll
[2012/05/31 21:17:38 | 000,180,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mqrt.dll
[2012/05/31 21:17:29 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avifil32.dll
[2012/05/31 21:17:29 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iyuv_32.dll
[2012/05/31 21:17:29 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msvidc32.dll
[2012/05/31 21:17:29 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msrle32.dll
[2012/05/31 21:17:29 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsbyuv.dll
[2012/05/31 21:17:12 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2012/05/31 21:17:06 | 000,241,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\httpext.dll
[2012/05/31 21:17:03 | 000,762,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2012/05/31 21:15:40 | 000,103,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[2012/05/31 21:15:23 | 000,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftpsvc2.dll
[2012/05/31 21:15:20 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2012/05/31 21:14:47 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mf3216.dll
[2012/05/31 21:14:35 | 000,583,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2012/05/31 21:13:26 | 000,109,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2012/05/31 21:12:28 | 000,228,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmasf.dll
[2012/05/31 21:11:56 | 002,491,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2012/05/31 21:11:48 | 000,817,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2012/05/31 21:11:48 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sc.exe
[2012/05/31 21:11:46 | 002,342,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2012/05/31 21:11:31 | 002,451,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2012/05/31 21:11:24 | 002,302,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2012/05/31 21:10:21 | 002,527,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorsvr.dll
[2012/05/31 21:10:21 | 002,514,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorwks.dll
[2012/05/31 21:10:21 | 002,142,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorlib.dll
[2012/05/31 21:10:21 | 001,269,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\system.web.dll
[2012/05/31 21:10:21 | 001,232,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sy52106.dll
[2012/05/31 21:10:21 | 000,258,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspnet_isapi.dll
[2012/05/31 21:10:21 | 000,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorld.dll
[2012/05/31 21:10:21 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorie.dll
[2012/05/31 21:10:21 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\corperfmonext.dll
[2012/05/31 21:10:21 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorsn.dll
[2012/05/31 21:10:21 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspnet_wp.exe
[2012/05/31 21:09:51 | 000,315,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mscorjit.dll
[2012/05/31 21:09:45 | 002,064,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\system.windows.forms.dll
[2012/05/31 21:09:09 | 000,510,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab32.dll
[2012/05/31 21:09:02 | 000,695,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2012/05/31 21:08:52 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2012/05/31 21:08:30 | 002,854,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msi.dll
[2012/05/31 21:07:09 | 000,152,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2012/05/31 20:55:00 | 000,021,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2012/05/31 20:54:52 | 000,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/05/31 17:16:45 | 000,138,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dpcdll.dll
[2012/05/31 17:10:39 | 000,145,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msls31.dll
[2012/05/31 08:13:22 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/05/31 08:11:38 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/05/31 08:07:04 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2012/05/31 08:07:03 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2012/05/31 08:06:53 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2012/05/31 08:05:18 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2012/05/31 08:05:18 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2012/05/31 08:05:17 | 002,000,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2012/05/31 08:05:16 | 011,082,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2012/05/31 08:05:16 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2012/05/30 23:17:55 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/05/30 23:16:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\Start Menu\Programs\Citrix
[2012/05/30 23:16:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Downloads
[2012/05/30 23:15:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STONE-TAPERT\Start Menu\Programs\Google Chrome
[2012/05/30 07:28:47 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\dds.scr
[2012/05/30 00:48:04 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/29 23:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/05/29 23:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/05/29 23:52:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/05/29 12:53:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\corebins
[2012/05/29 12:40:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/05/29 11:31:04 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2012/05/29 11:30:53 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2012/05/27 19:39:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\kk
[2012/05/27 19:39:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\bb
[2012/05/27 19:38:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\193805
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/06 23:06:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1364589140-1801674531-1686UA.job
[2012/06/06 23:05:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/06/06 21:57:05 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/06/06 18:06:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1364589140-1801674531-1686Core.job
[2012/06/06 16:28:39 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/06/06 15:12:00 | 000,338,059 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\FSS.exe
[2012/06/06 12:13:42 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\nogshd.sys
[2012/06/06 12:00:20 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/06/06 12:00:05 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/06/06 06:54:11 | 000,628,560 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/06/06 06:53:13 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/06 06:53:13 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/06 06:46:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/05 10:32:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/05 08:08:32 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\OTL.exe
[2012/06/04 09:00:06 | 000,000,634 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\CWTIA.lnk
[2012/06/04 08:59:38 | 000,000,634 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\Chuck.lnk
[2012/06/04 08:19:45 | 000,102,248 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\GoToAssistDownloadHelper.exe
[2012/06/04 01:53:04 | 000,000,496 | ---- | M] () -- C:\WINDOWS\DCEBOOT.RST
[2012/06/04 01:48:04 | 000,102,400 | ---- | M] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2012/06/04 01:40:50 | 000,317,310 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\census.cache
[2012/06/04 01:40:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\ars.cache
[2012/06/03 15:07:22 | 000,002,629 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\DameWare NT Utilities.lnk
[2012/06/03 15:07:02 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\housecall.guid.cache
[2012/06/02 07:51:31 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2012/06/02 06:48:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defragd.job
[2012/05/31 23:45:47 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/05/31 23:09:45 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/31 20:35:16 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/05/31 17:17:52 | 000,001,367 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Security Configuration Wizard.lnk
[2012/05/31 07:49:31 | 000,722,432 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Administrator.STONE-TAPERT\gotomypc_428.exe
[2012/05/31 07:46:40 | 000,057,344 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\g2mdlhlpx.exe
[2012/05/31 07:21:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/30 23:16:03 | 000,110,456 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\g2ax_customer_downloadhelper_win32_x86.exe
[2012/05/30 23:15:31 | 000,002,417 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/05/30 07:31:13 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\86nloyr3.exe
[2012/05/30 07:28:03 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\dds.scr
[2012/05/30 07:26:50 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Defogger.exe
[2012/05/30 00:48:04 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/30 00:48:04 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/05/29 12:48:04 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2012/05/29 12:46:26 | 001,572,918 | ---- | M] () -- C:\WINDOWS\BGInfo.bmp
[2012/05/29 12:46:24 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\Default
[2012/05/29 12:45:58 | 000,002,838 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/05/29 12:36:22 | 000,000,457 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/05/29 12:33:11 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/05/29 12:33:11 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/05/29 12:33:06 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2012/05/29 12:19:52 | 000,023,760 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/05/29 12:18:25 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\Remote Desktop Connection.lnk
[2012/05/29 12:16:26 | 000,000,208 | -HS- | M] () -- C:\boot.ini
[2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) -- C:\WINDOWS\System32\drivers\percsas.sys
[2012/05/27 19:41:17 | 001,053,240 | ---- | M] () -- C:\WINDOWS\setupapi.old
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/06 15:11:54 | 000,338,059 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\FSS.exe
[2012/06/06 12:13:42 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\nogshd.sys
[2012/06/04 09:00:06 | 000,000,634 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\CWTIA.lnk
[2012/06/04 08:59:38 | 000,000,634 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\Chuck.lnk
[2012/06/04 08:19:45 | 000,102,248 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\GoToAssistDownloadHelper.exe
[2012/06/04 01:53:01 | 000,000,496 | ---- | C] () -- C:\WINDOWS\DCEBOOT.RST
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/06/04 01:40:50 | 000,317,310 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\census.cache
[2012/06/04 01:40:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\ars.cache
[2012/06/03 15:07:02 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Local Settings\Application Data\housecall.guid.cache
[2012/05/31 23:19:42 | 000,002,426 | ---- | C] () -- C:\WINDOWS\System32\WsmTxt.xsl
[2012/05/31 23:19:42 | 000,001,559 | ---- | C] () -- C:\WINDOWS\System32\WsmPty.xsl
[2012/05/31 23:19:42 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\winrmprov.mof
[2012/05/31 23:19:42 | 000,000,696 | ---- | C] () -- C:\WINDOWS\System32\WsmSelRg.xml
[2012/05/31 23:19:41 | 000,201,184 | ---- | C] () -- C:\WINDOWS\System32\winrm.vbs
[2012/05/31 23:19:41 | 000,000,035 | ---- | C] () -- C:\WINDOWS\System32\winrm.cmd
[2012/05/31 21:25:59 | 000,735,440 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msimain.sdb
[2012/05/31 21:10:21 | 000,066,600 | ---- | C] () -- C:\WINDOWS\System32\dllcache\togac.exe
[2012/05/31 21:10:21 | 000,066,600 | ---- | C] () -- C:\WINDOWS\System32\dllcache\setregni.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/31 07:19:50 | 000,002,629 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Desktop\DameWare NT Utilities.lnk
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/30 23:15:31 | 000,002,417 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/05/30 07:31:17 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\86nloyr3.exe
[2012/05/30 07:28:49 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Administrator.STONE-TAPERT\My Documents\Defogger.exe
[2012/05/30 00:48:05 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/29 12:46:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\Default
[2012/05/29 11:30:07 | 000,112,975 | ---- | C] () -- C:\WINDOWS\System32\dllcache\UDDI.CAT
[2012/05/29 11:30:07 | 000,082,025 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sasetup.CAT
[2012/05/29 11:30:07 | 000,071,199 | ---- | C] () -- C:\WINDOWS\System32\dllcache\adminpak.CAT
[2012/05/29 11:30:07 | 000,066,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NETFX.CAT
[2012/05/29 11:30:07 | 000,030,616 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SCW.CAT
[2012/05/29 11:30:07 | 000,023,518 | ---- | C] () -- C:\WINDOWS\System32\dllcache\admt.cat
[2012/05/29 11:30:07 | 000,022,310 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FXSCAT.CAT
[2012/05/29 11:30:06 | 000,067,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP5.CAT
[2012/05/29 11:30:06 | 000,015,770 | ---- | C] () -- C:\WINDOWS\System32\dllcache\INS.CAT
[2012/05/29 11:30:06 | 000,014,610 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2012/05/29 11:30:06 | 000,010,172 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2012/05/29 11:30:06 | 000,008,571 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2012/05/29 11:30:05 | 001,994,359 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2012/05/29 11:30:05 | 001,402,437 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2012/05/29 11:30:05 | 000,682,720 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2012/03/05 09:55:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\hex1.exe
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini

< End of report >


Extras:

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 07 June 2012 - 04:05 AM

Please upload the following file to http://www.virustotal.com
C:\WINDOWS\system32\drivers\nogshd.sys

(if you don't see it, type the name in manually, then click Open).

Please link me to the scan results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 smilne

smilne
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 07 June 2012 - 09:17 AM

Here are the Virus Total results:

https://www.virustotal.com/file/3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516/analysis/1339078504/

According to one of the comments, it is part of MBAM and should disappear after the next reboot.

http://forums.malwarebytes.org/index.php?showtopic=99093&hl=3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516&fromsearch=1

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 07 June 2012 - 11:26 AM

Thats indeed correct, the md5 shows it is MBAM's driver, which most likely wasn't correctly unloaded/removed.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 smilne

smilne
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 10 June 2012 - 05:09 PM

Ok, Adobe Reader is up to date. The ESET online scanner is what cleaned most of the infection that MBAM and Spybot couldn't fully remove. I just finished another scan and it came up clean.

I'm not sure if it helps, but here's an HJT log. A couple things to note about the log:

1. The location of the smss.exe process is incorrect in the HJT log, that file/folder does not exist on the server. I used Process Explorer to confirm that the smss.exe process is actually located in C:\Windows\System32. So I'm not sure why or how HJT is picking up that location.
2. The F2 entry is being displayed and from what I've read, should be removed if it shows in the HJT log. However, the actual text of the entry seems correct. I checked the registry entry against another non-infected server in this domain and the value in the registry is correct, so I'm not sure why HJT is picking it up.
3. Regarding the O10 entry, the file is definitely not in that location but internet access works fine, so I wasn't sure if I still needed to run the LSPFix tool.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:39:51 PM, on 6/10/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.STONE-TAPERT\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
D:\Program Files\Symantec\Backup Exec\beremote.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.6\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\tardisnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Citrix\GoToAssist\736\G2AProcessFactory.exe
C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_processfactory.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\1\Temporary Directory 1 for ProcessExplorer[1].zip\procexp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-507921405-1364589140-1801674531-1003\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'bkupexec')
O4 - HKUS\S-1-5-21-507921405-1364589140-1801674531-1019\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'DianeK')
O4 - HKUS\S-1-5-21-507921405-1364589140-1801674531-1165\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Joann')
O4 - HKUS\S-1-5-21-507921405-1364589140-1801674531-1627\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'joanne')
O4 - HKUS\S-1-5-21-507921405-1364589140-1801674531-1648\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'admin2')
O4 - HKUS\S-1-5-18\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.stone-tapert\windows\system32\mswsock.dll' missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\Software\..\Telephony: DomainName = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\736\G2AWinLogon.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_winlogon.dll
O23 - Service: Advisors Assistant Server Component Server (AAService) - Client Marketing Systems, Inc. - C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Symantec Embedded Database (ASANYs_sem5) - iAnywhere Solutions, Inc. - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - D:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\736\g2aservice.exe
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\403\g2ax_service.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ManageEngineOpManagerApache - Apache Software Foundation - C:\PROGRA~1\ADVENT~1\ME\OPMANA~1\apache\bin\Apache.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: ManageEngine NetFlow Analyzer 7 (netflowanalyzer) - Unknown owner - C:\ADVENT~1\ME\NetFlow\bin\wrapper.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: ManageEngine OpManager (OpManager) - Unknown owner - C:\PROGRA~1\ADVENT~1\ME\OPMANA~1\wrapper.exe
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: Symantec Endpoint Protection Manager (semsrv) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Tardis time service (Tardis) - Unknown owner - C:\WINDOWS\system32\tardisnt.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

--
End of file - 13061 bytes

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 11 June 2012 - 12:48 AM

HJT is not server compatible, which is why it won't work. Besides, compared to OTL HJT really is useless it shows less and mostly unhelpful information.

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:

    Rerun OTL anc click the Cleanup button. Allow a reboot. This will reset all logs and tools we used.

    At this point it is good to flush system restore (turn it off and then on) and set a new restore point so that you will have a clean point to fall back on.

    Please read the following advice on how to prevent reinfecting your PC:
    • Install and update the following programs regularly:[list]
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 28 June 2012 - 01:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users