Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issues detected by HitManPro - but not Malwarebytes / Endpoint


  • This topic is locked This topic is locked
20 replies to this topic

#1 markitsmad

markitsmad

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 15 December 2013 - 06:17 AM

HI:

 

I have recently had a problem with a virus causing shortcut (.lnk) in a shared folder. As a consequence I have been checking everything in sight to to see if there are any residual issues.

 

I have used Symantec Endpoint & Malwarebytes  and these show up with nothing. I have also run Hit Man Pro. This shows up some problems but I am not sure how to interpret them given the other results.

 

I post details from Hit Man Pro for info.

 

Can anyone advise?

 

best wishes

 

Mark

 

Properties
Name msswchx.exe
Location C:\Documents and Settings\BGAdmin\Application Data\Microsoft\Microsoft SQL Server\90
Size 476 KB
Time 0.0 days ago (2013-12-14 14:46:15)
Entropy 4.0
Product stub6 Application
Description stub6 Application
Version 1.0.0.1
Copyright Copyright © 2013
SHA-256 17E27541BC9D984C28991EBF1766F41041228AE8C0183671D2D8DA3F2D8E1F6B
 
Detection Names
Bitdefender Trojan.GenericKD.1426213
Kaspersky Backdoor.Win32.Caphaw.zi
 
Scoring (130.0)
One or more antivirus vendors have indicated that the file is malicious.
The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
Program is impersonating a common Windows system file. This is typical for malware.
Time indicates that the file appeared recently on this computer.
Authors name is missing in version info. This is not common to most programs.
 
Forensic Cluster
-2.6s C:\Documents and Settings\BGAdmin\Local Settings\Temp\1\
-2.3s C:\Documents and Settings\BGAdmin\Local Settings\Temp\1\jusched.log
-2.3s C:\Documents and Settings\BGAdmin\Local Settings\Temp\1\AdobeARM.log
-2.1s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\I09JAKO9\mys[2]
-2.1s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\NBR16TZQ\mysstatic[1]
-2.1s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\MTZ360BQ\mysdynamic[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\I09JAKO9\ico_server[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\MTZ360BQ\greenarrow_large[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\NBR16TZQ\info_large[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\IHXOKW6G\mys_large[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\I09JAKO9\info[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\IHXOKW6G\Help[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\MTZ360BQ\cys_small[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\NBR16TZQ\greenarrow_small[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\I09JAKO9\mys_small[1]
-2.0s C:\Documents and Settings\BGAdmin\Local Settings\Temporary Internet Files\Content.IE5\IHXOKW6G\MinusIcon[1]
* C:\Documents and Settings\BGAdmin\Application Data\Microsoft\Microsoft SQL Server\90\msswchx.exe
 
 
Properties
Name tmp0_494774208391.bk.old
Location C:\WINDOWS\system32
Size 268 KB
Time 3917.1 days ago (2003-03-25 12:00:00)
Entropy 6.4
Product
Publisher
Description
Version 2.0.1.149
Copyright
SHA-256 E4750EAB8A4AC9300C219C44AD1BA082841BB23935E0E1B3B0E1FB5F02286F8D
 
Detection Names
G Data Trojan.Refpron.E (Engine A)
 
Scoring (105.0)
One or more antivirus vendors have indicated that the file is malicious.
Authors name is missing in version info. This is not common to most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
Properties
Name ldmbd.dll
Location C:\WINDOWS\system32
Size 22.0 KB
Time 1877.9 days ago (2008-10-23 17:18:42)
Entropy 7.6
Product MicrosoftÆ WindowsÆ Operating System
Publisher Microsoft Corporation
Description Windows NT System DLL
Version 5.2.3790.3959
Copyright © Microsoft Corporation. All rights reserved.
Service RemoteRegistry
SHA-256 D1DFF7BB4870F2CEFB1CD19DB55A867EEDAFE15C0FAABC77D8F5057E706798D7
 
Scoring (23.0)
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
Starts automatically as a service during system bootup.
Program starts automatically without user intervention.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
 
Startup
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\
 
 
 
Properties
Name csrms.exe
Location c:\WINDOWS\system32
Size 602 KB
Time 2250.7 days ago (2007-10-16 21:29:58)
Entropy 8.0
Product MS Net
Publisher Dog Soft
Description Network Services 
Version 2.6.0.0
Copyright Copyright © 1991-2005 Cat Soft - All rights reserved
Service Netsrv
Parent Name C:\WINDOWS\system32\services.exe
SHA-256 11F63820608B455837DDE874D9E0CF9FE72D14D62257791FB26B402974C8171B
 
Detection Names
G Data Application.Tool.4664 (Engine-A)
 
Scoring (127.0)
One or more antivirus vendors have indicated that the file is malicious.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
This program is actively listening for inbound network connections.
The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
Starts automatically as a service during system bootup.
Program starts automatically without user intervention.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
 
Memory
PID 2088
 
Startup
HKLM\SYSTEM\CurrentControlSet\Services\Netsrv\
 
Network Ports
0.0.0.0:723

127.0.0.1:1221 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 18 December 2013 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===


Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 18 December 2013 - 12:52 PM

Nasdaq:

 

Thank you very much for your response.

 

Just wanted to check before proceeding with your advice - the machine is a Windows 2003 server - does this affect any of your advice?

 

best wishes

 

Mark



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 19 December 2013 - 08:26 AM

Not for the proposed tools.

Will see what if left after the scans.

#5 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 19 December 2013 - 08:34 AM

Nasdaq:

 

Thanks for the response.

 

With AdWare I did not remove anything - it only appeared som registry entries - which I cautiously left in place. 

 

With JRT it just did its stuff!

 

The DDS tool blaked at the OS.

 

Logs attached.

 

best wishes

 

Mark

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 19 December 2013 - 11:09 AM

Try this one instead of the DDS tool.

Download correct tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

#7 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 19 December 2013 - 12:39 PM

Nasdaq:

 

Thanks for the email.

 

I have run Farbar and I paste / attach results as requested.

 

best wishes

 

Mark

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-12-2013 05
Ran by BGADMIN (administrator) on BGSRV01 on 19-12-2013 17:26:08
Running from \\tsclient\W\1 Mark Sreeves
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmacthlp.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(BigHand Ltd.) C:\Program Files\BigHand\BigHand Workflow Server\BHServer.exe
(BigHand Ltd) C:\Program Files\BigHand\BigHand Services\BhWcfHost.exe
(Microsoft Corporation) C:\WINDOWS\system32\inetsrv\inetinfo.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL$BIGHAND\Binn\sqlservr.exe
(Microsoft Corporation) D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Dog Soft) C:\WINDOWS\system32\csrms.exe
(Microsoft Corporation) C:\WINDOWS\system32\ntfrs.exe
(PJLM Software Inc.) C:\Program Files\Print Audit Inc\Facilities Manager\pafmice.exe
(PJLM Software Inc.) C:\Program Files\Print Audit Inc\Facilities Manager\pafmupd.exe
(APC) C:\Program Files\PowerChute\pcns.exe
() C:\PSMeterBilling\XYNTService.exe
(Microsoft Corporation) C:\WINDOWS\system32\snmp.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL$BIGHAND\Binn\sqlagent.EXE
(PrintMIB, LLC) C:\PSMeterBilling\QMIB.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
(RealVNC Ltd.) C:\Program Files\RealVNC\VNC4\winvnc4.exe
(Microsoft Corporation) C:\WINDOWS\system32\dfssvc.exe
(Microsoft Corporation) C:\Program Files\Exchsrvr\bin\exmgmt.exe
(Veeam Software) C:\WINDOWS\Veeam\Backup\VeeamDeploymentSvc.exe
(Veeam Software) C:\Program Files\Veeam\Backup Transport\VeeamTransportSvc.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
(BigHand Ltd) C:\Program Files\BigHand\BigHand External Workflow Server\ExternalWorkflowServer.exe
(BigHand Ltd) C:\Program Files\BigHand\Gateway\BhGateway.exe
(Microsoft Corporation) C:\WINDOWS\system32\logon.scr
(Microsoft Corporation) C:\WINDOWS\system32\userinit.exe
(Microsoft Corporation) C:\WINDOWS\system32\rdpclip.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Farbar) \\tsclient\W\1 Mark Sreeves\FRST.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ccApp] - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115560 2010-05-06] (Symantec Corporation)
HKLM\...\Run: [VMware Tools] - C:\Program Files\VMware\VMware Tools\VMwareTray.exe [186928 2010-09-14] (VMware, Inc.)
HKLM\...\Run: [VMware User Process] - C:\Program Files\VMware\VMware Tools\VMwareUser.exe [1038896 2010-09-14] (VMware, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Winlogon: [UIHost] %SystemRoot%\system32\logonui.exe [x ] ()
Winlogon\Notify\TPSvc: C:\Windows\system32\TPSvc.dll (ThinPrint AG)
Winlogon\Notify\VMUpgradeAtShutdown: C:\Windows\system32\VMUpgradeAtShutdownWXP.dll (VMware, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\Default User\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [ 2003-03-25] (Microsoft Corporation)
HKU\first\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [ 2003-03-25] (Microsoft Corporation)
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
BootExecute: dfboottime \??\C:\WINDOWS\System32\dfboottime.cfgautocheck autochk *

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x9F40ACCBB2D5CB01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127732604218
Handler: hpapp\Apps - No CLSID Value -
Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog9 06 C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll [331776] (VMware, Inc.)
Winsock: Catalog9 07 C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll [331776] (VMware, Inc.)
Tcpip\..\Interfaces\{CA203F41-DAB0-49AF-9C97-10D66749D9A6}: [NameServer]192.168.0.12

========================== Services (Whitelisted) =================

R2 BigHand External Workflow Server; C:\Program Files\BigHand\BigHand External Workflow Server\ExternalWorkflowServer.exe [55632 2011-02-17] (BigHand Ltd)
R2 BigHand Gateway; C:\Program Files\BigHand\Gateway\BhGateway.exe [66896 2011-02-17] (BigHand Ltd)
R2 BigHand Server 4.0; C:\Program Files\BigHand\BigHand Workflow Server\BHServer.exe [1589072 2011-02-17] (BigHand Ltd.)
R2 BigHand Services Host; C:\Program Files\BigHand\BigHand Services\BhWcfHost.exe [65872 2011-02-17] (BigHand Ltd)
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-05-06] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-05-06] (Symantec Corporation)
R2 Dfs; C:\Windows\system32\Dfssvc.exe [164864 2007-02-17] (Microsoft Corporation)
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S4 IsmServ; C:\Windows\System32\ismserv.exe [40448 2007-02-17] (Microsoft Corporation)
S4 kdc; C:\Windows\System32\lsass.exe [13312 2003-03-25] (Microsoft Corporation)
S4 LicenseService; C:\Windows\System32\llssrv.exe [94720 2007-02-17] (Microsoft Corporation)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2010-02-17] (Symantec Corporation)
R2 MSExchangeMGMT; C:\Program Files\Exchsrvr\bin\exmgmt.exe [3195904 2004-04-02] (Microsoft Corporation)
R2 MSSQL$BIGHAND; C:\Program Files\Microsoft SQL Server\MSSQL$BIGHAND\Binn\sqlservr.exe [9158656 2008-12-18] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
R2 Netsrv; c:\WINDOWS\system32\csrms.exe [616448 2007-10-16] (Dog Soft)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [792064 2007-02-17] (Microsoft Corporation)
R2 PAFMICE; C:\Program Files\Print Audit Inc\Facilities Manager\pafmice.exe [1461656 2012-03-12] (PJLM Software Inc.)
R2 PAFMICEUpdater; C:\Program Files\Print Audit Inc\Facilities Manager\pafmupd.exe [612760 2012-03-12] (PJLM Software Inc.)
R2 PowerChuteNetShut; C:\Program Files\PowerChute\pcns.exe [24576 2007-03-19] (APC)
R2 QMMgr; c:\PSMeterBilling\xyntservice.exe [77824 2008-03-03] ()
R2 RemoteRegistry; C:\Windows\system32\ldmbd.dll [22528 2003-03-25] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [67072 2007-02-17] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [12288 2003-03-25] (Microsoft Corporation)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1885488 2010-08-05] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357704 2010-07-01] (Symantec Corporation)
R2 SQLAgent$BIGHAND; C:\Program Files\Microsoft SQL Server\MSSQL$BIGHAND\Binn\sqlagent.EXE [323584 2005-05-03] (Microsoft Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1832072 2010-07-01] (Symantec Corporation)
S4 sysdown; C:\Windows\system32\sysdown.exe [31744 2005-03-04] (Compaq Computer Corporation)
S4 TrkSvr; C:\Windows\system32\trksvr.dll [50688 2003-03-25] (Microsoft Corporation)
S4 Tssdis; C:\Windows\System32\tssdis.exe [71168 2007-02-17] (Microsoft Corporation)
S3 uploadmgr; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [39936 2007-02-17] (Microsoft Corporation)
R2 VeeamDeploymentService; C:\WINDOWS\Veeam\Backup\VeeamDeploymentSvc.exe [593920 2011-11-27] (Veeam Software)
R2 VeeamTransportSvc; C:\Program Files\Veeam\Backup Transport\VeeamTransportSvc.exe [753664 2013-09-26] (Veeam Software)
R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [609904 2011-06-01] (VMware, Inc.)
R2 VMware Physical Disk Helper Service; C:\Program Files\VMware\VMware Tools\vmacthlp.exe [367152 2010-09-14] (VMware, Inc.)
R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [455632 2005-03-11] (RealVNC Ltd.)
R2 Eventlog;  [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S3 WinHttpAutoProxySvc; winhttp.dll [x]

==================== Drivers (Whitelisted) ====================

S3 ati2mpad; C:\Windows\System32\DRIVERS\ati2mpad.sys [343424 2003-03-24] (ATI Technologies Inc.)
S4 ClusDisk; C:\Windows\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)
R0 cpqarry2; C:\Windows\System32\drivers\cpqarry2.sys [13680 2001-11-05] (Compaq Computer Corporation)
S3 cpqasm2; C:\Windows\System32\DRIVERS\cpqasm2.sys [261632 2005-03-04] (Compaq Computer Corporation)
S3 CpqCiDrv; C:\Windows\System32\DRIVERS\CpqCiDrv.sys [20096 2004-10-29] (Hewlett-Packard Company)
S3 CPQCISSE; C:\Windows\System32\DRIVERS\CPQCISSE.sys [56576 2005-03-11] (Hewlett-Packard Company)
R0 cpqcissm; C:\Windows\System32\drivers\cpqcissm.sys [16512 2005-02-11] (Hewlett-Packard Company)
R0 DfsDriver; C:\Windows\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-11-20] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-11-20] (Symantec Corporation)
R2 hcmon; C:\WINDOWS\system32\drivers\hcmon.sys [32880 2011-06-01] (VMware, Inc.)
R0 HpCISSs2; C:\Windows\System32\drivers\HpCISSs2.sys [24576 2005-03-24] (Hewlett-Packard Company)
R2 LGTO_Sync; C:\WINDOWS\system32\Drivers\lgtosync.sys [36400 2010-09-14] (VMware, Inc.)
R0 LsiCsb6; C:\Windows\System32\drivers\LsiCsb6.sys [164088 2003-07-31] (LSI Logic Corporation.)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-12-14] (Malwarebytes Corporation)
S4 MegaIDE; C:\Windows\system32\drivers\MegaIDE.sys [39129 2003-06-13] (LSI Logic Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20131219.004\NAVENG.SYS [93272 2013-08-28] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20131219.004\NAVEX15.SYS [1612376 2013-08-28] (Symantec Corporation)
S3 q57w2k; C:\Windows\System32\DRIVERS\q57xp32.sys [128256 2005-01-27] (Hewlett-Packard Company)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2009-12-18] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [283184 2010-03-08] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320944 2010-03-08] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2010-03-08] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [125488 2010-11-21] (Symantec Corporation)
R0 symmpi; C:\Windows\System32\DRIVERS\symmpi.sys [47616 2005-03-14] (LSI Logic)
S3 sysmgmt; C:\Windows\System32\DRIVERS\sysmgmt.sys [5120 2005-03-04] (Compaq Computer Corporation)
S0 vmscsi; C:\Windows\System32\DRIVERS\vmscsi.sys [11026 2010-11-19] (VMware, Inc.)
R3 vmxnet; C:\Windows\System32\DRIVERS\vmxnet.sys [30000 2010-09-14] (VMware, Inc.)
R3 vmx_svga; C:\Windows\System32\DRIVERS\vmx_svga.sys [28080 2010-09-14] (VMware, Inc.)
S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 cpqfcalm; No ImagePath
S3 CPQTeam; system32\DRIVERS\cpqteam.sys [x]
S3 CPQTeamMP; system32\DRIVERS\cpqteam.sys [x]
S4 dellcerc; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
S4 lp6nds35; No ImagePath
S3 MEMSWEEP2; \??\C:\WINDOWS\system32\6.tmp [x]
S4 nfrd960; No ImagePath
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)
S2 WGX; System32\Drivers\WGX.SYS [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVC: RemoteRegistry -> C:\Windows\system32\ldmbd.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-12-19 17:26 - 2013-12-19 17:26 - 00000000 ____D C:\FRST
2013-12-19 17:25 - 2013-12-19 17:26 - 00000000 ____D C:\Documents and Settings\BGAdmin\Local Settings\Temp\1
2013-12-18 18:40 - 2013-12-18 18:40 - 00000910 _____ C:\Documents and Settings\BGAdmin\Desktop\JRT.txt
2013-12-18 18:13 - 2013-12-18 18:13 - 00000000 ____D C:\WINDOWS\ERUNT
2013-12-18 18:03 - 2013-12-18 18:04 - 00000000 ____D C:\AdwCleaner
2013-12-17 17:06 - 2013-12-17 17:06 - 00000000 ___HD C:\WINDOWS\PIF
2013-12-15 12:50 - 2013-12-15 12:50 - 00004258 _____ C:\WINDOWS\KB2904266.log
2013-12-15 12:50 - 2013-12-15 12:50 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2904266$
2013-12-14 14:47 - 2013-12-14 14:47 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2013-12-13 10:42 - 2013-12-13 10:42 - 00011560 _____ C:\cc_20131213_104228.reg
2013-12-12 16:04 - 2013-12-12 16:04 - 00002990 _____ C:\Documents and Settings\BGAdmin\advanced_ip_scanner_MAC.bin
2013-12-12 15:04 - 2013-12-12 15:04 - 00000000 ____D C:\Documents and Settings\BGAdmin\Local Settings\Temp\{32C55A01-5685-4759-8ADC-7AC5E2C1CFAC}
2013-12-12 13:44 - 2013-12-12 13:44 - 00000068 _____ C:\Documents and Settings\BGAdmin\Application Data\mbam.context.scan
2013-12-12 12:20 - 2013-12-12 12:20 - 00010061 _____ C:\WINDOWS\KB2892076.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00009103 _____ C:\WINDOWS\KB2893294.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00008905 _____ C:\WINDOWS\KB2893984.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00008393 _____ C:\WINDOWS\KB2898715.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2898715$
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893984$
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893294$
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2892076$
2013-12-12 12:19 - 2013-12-12 12:20 - 00010765 _____ C:\WINDOWS\KB2898785-IE8.log
2013-12-10 23:52 - 2013-11-07 05:37 - 00648192 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\rpcrt4.dll
2013-12-10 23:52 - 2013-11-07 05:37 - 00648192 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll
2013-12-10 23:52 - 2013-10-30 02:37 - 01879552 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\win32k.sys
2013-12-10 23:52 - 2013-10-30 02:37 - 01879552 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2013-12-10 23:52 - 2013-10-29 07:23 - 11113472 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 02006016 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 01216000 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlmon.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 01216000 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 00920064 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wininet.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 00920064 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 00105984 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\url.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\url.dll
2013-12-10 23:52 - 2013-10-29 07:23 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeedsbs.dll
2013-12-10 23:52 - 2013-10-23 23:41 - 00151552 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\scrrun.dll
2013-12-10 23:52 - 2013-10-23 23:41 - 00151552 _____ (Microsoft Corporation) C:\WINDOWS\system32\scrrun.dll
2013-11-27 09:07 - 2013-11-27 09:07 - 00000000 ____D C:\Program Files\JAM Software
2013-11-27 09:07 - 2013-11-27 09:07 - 00000000 ____D C:\Documents and Settings\Wavexadmin\Application Data\JAM Software

==================== One Month Modified Files and Folders =======

2013-12-19 17:26 - 2013-12-19 17:26 - 00000000 ____D C:\FRST
2013-12-19 17:26 - 2013-12-19 17:25 - 00000000 ____D C:\Documents and Settings\BGAdmin\Local Settings\Temp\1
2013-12-19 17:24 - 2005-09-27 12:13 - 00000136 _____ C:\WINDOWS\system32\config\netlogon.ftl
2013-12-19 17:22 - 2009-08-10 19:30 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{F3A33B15-66A4-43CA-A020-AFD6680427F1}.job
2013-12-19 16:55 - 2005-09-26 11:02 - 01302440 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-19 14:47 - 2005-09-26 10:07 - 00032564 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2013-12-19 12:00 - 2012-03-19 16:44 - 00000486 _____ C:\WINDOWS\Tasks\ShadowCopyVolume{45d5ed25-7083-11e1-bba9-000c29214839}.job
2013-12-19 11:23 - 2010-11-25 08:44 - 00000178 ___SH C:\Documents and Settings\BGAdmin\ntuser.ini
2013-12-19 11:23 - 2010-11-25 08:44 - 00000000 ____D C:\Documents and Settings\BGAdmin
2013-12-19 05:00 - 2005-09-26 10:45 - 00000000 ____D C:\WINDOWS\security
2013-12-19 00:05 - 2012-08-03 11:18 - 00000000 ____D C:\PSMeterBilling
2013-12-18 18:40 - 2013-12-18 18:40 - 00000910 _____ C:\Documents and Settings\BGAdmin\Desktop\JRT.txt
2013-12-18 18:13 - 2013-12-18 18:13 - 00000000 ____D C:\WINDOWS\ERUNT
2013-12-18 18:04 - 2013-12-18 18:03 - 00000000 ____D C:\AdwCleaner
2013-12-18 18:03 - 2011-05-23 16:29 - 00000000 ____D C:\Documents and Settings\BGAdmin\Application Data\Sun
2013-12-17 17:06 - 2013-12-17 17:06 - 00000000 ___HD C:\WINDOWS\PIF
2013-12-17 07:51 - 2005-09-26 10:45 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2013-12-15 13:04 - 2005-09-26 10:52 - 00709614 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2013-12-15 13:00 - 2007-10-16 21:30 - 00000610 _____ C:\WINDOWS\system32\mscsrms32.sys
2013-12-15 13:00 - 2007-10-16 21:29 - 00002216 _____ C:\WINDOWS\system32\mscsrms32.dll
2013-12-15 13:00 - 2005-09-26 10:45 - 00000000 ____D C:\WINDOWS\system32\ias
2013-12-15 13:00 - 2005-09-26 10:07 - 00000006 ___HC C:\WINDOWS\Tasks\SA.DAT
2013-12-15 13:00 - 2005-09-26 09:58 - 00000000 ____D C:\WINDOWS\Registration
2013-12-15 13:00 - 1980-01-01 00:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-12-15 12:59 - 2010-12-01 11:46 - 16777216 _____ C:\WINDOWS\system32\config\New Key #1.evt
2013-12-15 12:59 - 2005-09-27 12:37 - 00196608 _____ C:\WINDOWS\system32\config\NtFrs.Evt
2013-12-15 12:50 - 2013-12-15 12:50 - 00004258 _____ C:\WINDOWS\KB2904266.log
2013-12-15 12:50 - 2013-12-15 12:50 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2904266$
2013-12-15 12:50 - 2007-02-23 07:49 - 00891908 ____C C:\WINDOWS\system32\TZLog.log
2013-12-15 12:50 - 2007-02-16 23:04 - 00510646 _____ C:\WINDOWS\setupapi.log
2013-12-15 12:50 - 2005-09-26 10:52 - 04821763 _____ C:\WINDOWS\iis6.log
2013-12-15 12:50 - 2005-09-26 10:52 - 03455950 _____ C:\WINDOWS\FaxSetup.log
2013-12-15 12:50 - 2005-09-26 10:52 - 02362318 _____ C:\WINDOWS\ocgen.log
2013-12-15 12:50 - 2005-09-26 10:52 - 02277300 _____ C:\WINDOWS\uddisetup.log
2013-12-15 12:50 - 2005-09-26 10:52 - 01641008 _____ C:\WINDOWS\msmqinst.log
2013-12-15 12:50 - 2005-09-26 10:52 - 01471106 _____ C:\WINDOWS\tsoc.log
2013-12-15 12:50 - 2005-09-26 10:52 - 01036594 _____ C:\WINDOWS\comsetup.log
2013-12-15 12:50 - 2005-09-26 10:52 - 00713215 _____ C:\WINDOWS\ntdtcsetup.log
2013-12-15 12:50 - 2005-09-26 10:52 - 00561581 _____ C:\WINDOWS\netfxocm.log
2013-12-15 12:50 - 2005-09-26 10:52 - 00486206 _____ C:\WINDOWS\aspnetocm.log
2013-12-15 12:50 - 2005-09-26 10:52 - 00322797 _____ C:\WINDOWS\LicenOc.log
2013-12-15 12:50 - 2005-09-26 10:52 - 00167084 _____ C:\WINDOWS\certocm.log
2013-12-15 12:50 - 2005-09-26 10:52 - 00157172 _____ C:\WINDOWS\pop3oc.log
2013-12-15 12:50 - 2005-09-26 10:52 - 00003470 _____ C:\WINDOWS\imsins.log
2013-12-15 12:49 - 2013-08-23 17:55 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-12-14 14:47 - 2013-12-14 14:47 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2013-12-14 09:19 - 2005-09-26 10:51 - 00093480 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-12-14 09:17 - 2010-12-22 15:06 - 00000178 ___SH C:\Documents and Settings\Wavexadmin\ntuser.ini
2013-12-14 09:17 - 2010-12-22 15:06 - 00000000 ____D C:\Documents and Settings\Wavexadmin
2013-12-13 10:42 - 2013-12-13 10:42 - 00011560 _____ C:\cc_20131213_104228.reg
2013-12-12 16:04 - 2013-12-12 16:04 - 00002990 _____ C:\Documents and Settings\BGAdmin\advanced_ip_scanner_MAC.bin
2013-12-12 15:05 - 2011-09-28 09:21 - 00000000 ____D C:\Program Files\Sophos
2013-12-12 15:04 - 2013-12-12 15:04 - 00000000 ____D C:\Documents and Settings\BGAdmin\Local Settings\Temp\{32C55A01-5685-4759-8ADC-7AC5E2C1CFAC}
2013-12-12 15:04 - 2008-01-16 22:15 - 00352579 ____C C:\WINDOWS\bkupinst.log
2013-12-12 13:44 - 2013-12-12 13:44 - 00000068 _____ C:\Documents and Settings\BGAdmin\Application Data\mbam.context.scan
2013-12-12 12:20 - 2013-12-12 12:20 - 00010061 _____ C:\WINDOWS\KB2892076.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00009103 _____ C:\WINDOWS\KB2893294.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00008905 _____ C:\WINDOWS\KB2893984.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00008393 _____ C:\WINDOWS\KB2898715.log
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2898715$
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893984$
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893294$
2013-12-12 12:20 - 2013-12-12 12:20 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2892076$
2013-12-12 12:20 - 2013-12-12 12:19 - 00010765 _____ C:\WINDOWS\KB2898785-IE8.log
2013-12-12 12:20 - 2005-09-26 11:25 - 00386879 ____C C:\WINDOWS\updspapi.log
2013-12-12 12:20 - 2005-09-26 10:52 - 00003470 _____ C:\WINDOWS\imsins.BAK
2013-12-12 12:19 - 2009-08-20 10:49 - 00000000 ____D C:\WINDOWS\ie8updates
2013-12-07 14:14 - 2009-08-07 15:29 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB935839$
2013-12-07 14:14 - 2008-11-21 11:06 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-07 14:14 - 2005-09-26 12:22 - 00100852 ____C C:\WINDOWS\PFRO.log
2013-12-06 10:31 - 2011-09-09 15:26 - 00000000 ____D C:\Program Files\CCleaner
2013-12-01 14:42 - 2005-09-26 11:28 - 88123800 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-11-27 09:07 - 2013-11-27 09:07 - 00000000 ____D C:\Program Files\JAM Software
2013-11-27 09:07 - 2013-11-27 09:07 - 00000000 ____D C:\Documents and Settings\Wavexadmin\Application Data\JAM Software

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2009-08-07 15:23] - [2007-02-17 01:58] - 1053184 ____A (Microsoft Corporation) A26C39540F8BE3729846E360E2C57344

C:\Windows\System32\winlogon.exe
[2009-08-07 15:23] - [2007-02-17 03:09] - 0528384 ____A (Microsoft Corporation) B4AA8AE0F18E5DFCF99A671A181D3EDC

C:\Windows\System32\svchost.exe
[2009-08-07 15:23] - [2007-02-17 03:04] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

C:\Windows\System32\services.exe
[1980-01-01 00:00] - [2009-02-03 11:07] - 0113152 ____A (Microsoft Corporation) CF500580CDD83B145646A4DCFCE1CF3C

C:\Windows\System32\User32.dll
[2007-04-04 11:33] - [2007-03-02 06:38] - 0583680 ____A (Microsoft Corporation) 1959150096B010BA953A78B0D6B0B4E4

C:\Windows\System32\userinit.exe
[1980-01-01 00:00] - [2007-02-17 03:07] - 0026112 ____A (Microsoft Corporation) B5FEB3B971A8B8C81CE9DE65031A87E5

C:\Windows\System32\Drivers\volsnap.sys
[2003-03-24 23:05] - [2012-08-21 12:56] - 0153600 ____A (Microsoft Corporation) 701D86EC9D221F68C8528CC47D3958E6

C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== End Of Log ============================

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 19 December 2013 - 02:27 PM


Mo malware was found on your log.

If you know what this service does leave it alone. I can remove it with a script.
S4 kdc; C:\Windows\System32\lsass.exe

The following service are showing No ImagePath.
The files may be missing because the applications were removed or the Tool is not able to find the path on the server.
These also can be removed with a script. Let me know which ones.

S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 cpqfcalm; No ImagePath
S3 CPQTeam; system32\DRIVERS\cpqteam.sys [x]
S3 CPQTeamMP; system32\DRIVERS\cpqteam.sys [x]
S4 dellcerc; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
S4 lp6nds35; No ImagePath
S4 nfrd960; No ImagePath
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath

This one I know
S3 MEMSWEEP2; \??\C:\WINDOWS\system32\6.tmp [x]

===

Can you check on this.

[2003-03-24 23:05] - [2012-08-21 12:56] - 0153600 ____A (Microsoft Corporation) 701D86EC9D221F68C8528CC47D3958E6
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.


===

#9 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 20 December 2013 - 12:39 PM

Nasdaq:

 

Thanks - I got a bit intimidated by the list and I may have mis-interpreted what you wanted me to do!

 

lsasss.exe - the machine is a server and so this would appear legitimate as providing authentication used by the Security Accounts service

 

S4 adpu320; No ImagePath This is now a virtual machine it was previously on on a Compaq machine and I think these relate to that previous environment. Tis appears to relate to an Adaptec SCSI driver
S4 afcnt; No ImagePath As above: but not sure what this is - appears to relate to Agilent Technologies - I am not aware of anything using this on the machine but it appeasr to be a driver file  
S4 cpqfcalm; No ImagePath  As above: There are still some remanants of this & associated softwsare on the machine.
S3 CPQTeam; system32\DRIVERS\cpqteam.sys [x] As above 
S3 CPQTeamMP; system32\DRIVERS\cpqteam.sys [x] As above
S4 dellcerc; No ImagePath As above but it appears to be a Dell driver - less likely though could have been transfered from an older Dell server
S4 hpt3xx; No ImagePath As above but it appears to be a HP driver
S4 iirsp; No ImagePath  As above but it appears to be an Intel/ICP Raid Storport Driver
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]  As above but it appears to be a Microsoft Windows IP in IP tunnel driver
S4 ipsraidn; No ImagePath As above but it appears to be an IBM ServeRAID Controller driver
U3 LicenseInfo; No ImagePath As above but no idea - it sounds a bit vague!
S4 lp6nds35; No ImagePath  As above appears to be Emulex PCI Fibre Channel SCSI Miniport Driver
S4 nfrd960; No ImagePath  As above appears to be IBM ServeRAID Controller Driver
S4 ql2100; No ImagePath  As above appears to be Miniport Driver for QLA2100 Adapter
S4 ql2200; No ImagePath As above appears to be Miniport Driver for QLA2200 Adapter
S4 ql2300; No ImagePath As above appears to be Driver for HP Fibre Channel HBA

 

The folder Codeintegrity and file bootcat.cache I am unable to locate on the machine

 

best wishes

 

Mark

 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 20 December 2013 - 02:10 PM

I would rather not remove any if the computer is running OK.

#11 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 20 December 2013 - 02:44 PM

Nasqaq:

 

Thanks - understood.

 

The only issue I have found is that cleaner is unable to launch ccleaner which I associated with these issues - but it may be a coincidence.

 

best wishes

 

Mark



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 21 December 2013 - 07:36 AM


Do you have the latest version?
http://www.oldapps.com/ccleaner.php?system=Windows_Server_2003

#13 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 22 December 2013 - 07:52 AM

Nasdaq:

 

Yes - tried and it still did not run. Any other suggestions? Understood if this goes beyond what support you are able to provide!

 

I re-ran Malwarebytes and having previously found nothing (from my original post) it now found the items that HitManpro had found ... 

 

I must apolgise if I have jumped ahead.

 

I then re-ran Hitman pro and it appeared to find new things! I am a bit confused.

 

I attach Malwarebytes and Hitman logs.

 

best wishes

 

Mark

 

 

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 22 December 2013 - 09:33 AM

Lets check this file.

>>> Run Jotti's malware scan: Please copy this line (in bold):
C:\WINDOWS\system32\ldmbd.dll
  • Go to Jotti's malware scan
  • and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Capture.JPG
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

#15 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:35 AM

Posted 22 December 2013 - 11:15 AM

Nasdaq:

 

Thanks very much.

 

http://virusscan.jotti.org/en-gb/scanresult/3fb9929e2d21304647b6c39b59a59867afa4acaa

 

best wishes

 

Mark






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users