Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gamut BOT infection (CBL blacklisted)


  • Please log in to reply
5 replies to this topic

#1 BSmith1605

BSmith1605

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 21 March 2014 - 12:24 PM

Our mail server has been blacklisted for Gamut BOT infection (simple spam bot thats spams on smtp port). The server is running Windows Server 2003 x64 so I can't run DDS. I ran a quick scan with Spybot, MS Removal, Malwarebytes and everything is clean. We're using NAT behind a firewall but ALL outgoing SMTP traffic is disabled except for this single mail server. The issue definately seems to be related to this specific machine and was hoping for some advice on finding this little bot. I'm posting my hijacklog but can post what ever else is needed. The Gordano items are our mail software and legit.

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:04:52 PM, on 3/21/2014
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcevt32.exe
C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcstor32.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files (x86)\Dell\SysMgt\oma\bin\omsad32.exe
C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\omaws32.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\WINDOWS\syswow64\snmp.exe
C:\Gordano\Bin\NTMManager.EXE
C:\Gordano\Bin\WWW.EXE
C:\Gordano\MySQL\bin\mysqld-nt.exe
C:\Gordano\Bin\POP.EXE
C:\Gordano\Bin\LDAP.EXE
C:\Gordano\Bin\POST.EXE
C:\Gordano\Bin\SMTP.EXE
C:\Gordano\Bin\LIST.EXE
C:\Gordano\Bin\IMAP.EXE
C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 72.235.82.105:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Symantec Backup Exec System Recovery 7.0] "C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.xxxxx\windows\system32\mswsock.dll' missing
O15 - ESC Trusted IP range: http://172.16.0.22
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238779115347
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238779095169
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T27L10NSP11EP14/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{666C91F9-D643-42AF-B93B-6B29E08DE247}: Domain = xxxxx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{666C91F9-D643-42AF-B93B-6B29E08DE247}: NameServer = 172.16.0.15,72.235.82.178
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxx.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{666C91F9-D643-42AF-B93B-6B29E08DE247}: Domain = xxxxx.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{666C91F9-D643-42AF-B93B-6B29E08DE247}: NameServer = 172.16.0.15,72.235.82.178
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxxxx.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{666C91F9-D643-42AF-B93B-6B29E08DE247}: Domain = xxxxx.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{666C91F9-D643-42AF-B93B-6B29E08DE247}: NameServer = 172.16.0.15,72.235.82.178
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\administrator.xxxxx\WINDOWS\SysWOW64\browseui.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\administrator.xxxxx\WINDOWS\SysWOW64\browseui.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcstor32.exe
O23 - Service: DFS Replication (Dfsr) - Unknown owner - C:\WINDOWS\system32\Dfsr.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Gordano Messaging Suite Collaboration Server (GMSCollaboration) - Gordano Ltd - C:\Gordano\Bin\GMSCollaboration.EXE
O23 - Service: Gordano Messaging Suite LDAP Server (GMSLDAP) - Gordano Ltd - C:\Gordano\Bin\LDAP.EXE
O23 - Service: Gordano Messaging Suite Manager Server (GMSManager) - Gordano Ltd - C:\Gordano\Bin\NTMManager.EXE
O23 - Service: Gordano Messaging Suite SNMP Server (GMSSNMP) - Gordano Ltd - C:\Gordano\Bin\GMSSNMP.EXE
O23 - Service: Gordano Messaging Suite SQL Server (GMSSQL) - Unknown owner - C:\Gordano\MySQL\bin\mysqld-nt.exe
O23 - Service: Single Instance Storage Groveler (Groveler) - Unknown owner - C:\WINDOWS\system32\grovel.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Gordano Messaging Suite IMAP Server (IMAP) - Gordano Ltd - C:\Gordano\Bin\IMAP.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Gordano Messaging Suite LIST Server (LIST) - Gordano Ltd - C:\Gordano\Bin\LIST.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mr2kserv - LSI  Logic Corporation - C:\Program Files (x86)\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: FTP Publishing Service (MSFtpsvc) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files (x86)\Dell\SysMgt\oma\bin\omsad32.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Gordano Messaging Suite POP Server (POP) - Gordano Ltd - C:\Gordano\Bin\POP.EXE
O23 - Service: Gordano Messaging Suite POST Server (POST) - Gordano Ltd - C:\Gordano\Bin\POST.EXE
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: Remote Access Quarantine Agent (rqs) - Unknown owner - C:\WINDOWS\system32\rqs.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Secure Port Server (Server Administrator) - Unknown owner - C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\omaws32.exe
O23 - Service: Gordano Messaging Suite SMTP Server (SMTP) - Gordano Ltd - C:\Gordano\Bin\SMTP.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown owner - C:\WINDOWS\system32\lserver.exe (file missing)
O23 - Service: Trivial FTP Daemon (TFTPD) - Unknown owner - C:\WINDOWS\system32\tftpd.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Gordano Messaging Suite Configuration Server (WWW) - Gordano Ltd - C:\Gordano\Bin\WWW.EXE

--
End of file - 10590 bytes
 


Edited by BSmith1605, 21 March 2014 - 01:04 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:30 PM

Posted 26 March 2014 - 12:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/528236 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 BSmith1605

BSmith1605
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 26 March 2014 - 12:45 PM

  • I'm unable to run DDS on this server. The server is running Windows Server 2003 x64 R1.
  • Please tell us if you have your original Windows CD/DVD available. YES


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:30 PM

Posted 27 March 2014 - 08:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • If the program won't start, go to MBAM's program folder (normally C:\Program Files\Malwarebytes' Anti-Malware), rename mbam.exe to a random file name (keep the .exe extension) and double-click on it to start the program.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#5 BSmith1605

BSmith1605
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 27 March 2014 - 09:21 AM

Here are the logs as requested.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.27.03

Windows Server 2003 Service Pack 1 x64 NTFS
Internet Explorer 6.0.3790.1830
administrator :: TX-SRV [administrator]

3/27/2014 8:37:57 AM
mbam-log-2014-03-27 (08-37-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 262639
Time elapsed: 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

# AdwCleaner v3.022 - Report created 27/03/2014 at 08:42:53
# Updated 13/03/2014 by Xplode
# Operating System : Microsoft Windows Server 2003 R2 Service Pack 1 (64 bits)
# Username : administrator - TX-SRV
# Running from : C:\Documents and Settings\administrator\Desktop\Spam Check\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{090ACFA1-1580-11D1-8AC0-00C0F00910F9}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B4E90801-B83C-11D0-8B40-00C0F00AE35A}

***** [ Browsers ] *****

-\\ Internet Explorer v6.0.3790.1830


*************************

AdwCleaner[R0].txt - [956 octets] - [27/03/2014 08:41:46]
AdwCleaner[R1].txt - [873 octets] - [27/03/2014 08:42:53]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [932 octets] ##########
 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by administrator (administrator) on TX-SRV on 27-03-2014 08:44:43
Running from C:\Documents and Settings\administrator\Desktop\Spam Check
Microsoft Windows Server 2003 R2 Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 6
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Symantec Corporation) C:\Program Files (x86)\Symantec\LiveUpdate\ALUSchedulerSvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcevt32.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcstor32.exe
(LSI  Logic Corporation) C:\Program Files (x86)\Dell\SysMgt\sm\mr2kserv.exe
(Microsoft Corporation) C:\WINDOWS\system32\ntfrs.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SysMgt\oma\bin\omsad32.exe
() C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\omaws32.exe
(Microsoft Corporation) C:\WINDOWS\system32\tcpsvcs.exe
(Microsoft Corporation) C:\WINDOWS\system32\lserver.exe
(Microsoft Corporation) C:\WINDOWS\system32\Dfssvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\Dfsr.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\system32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\WINDOWS\System32\snmp.exe
(Microsoft Corporation) C:\WINDOWS\syswow64\snmp.exe
(Microsoft Corporation) C:\WINDOWS\system32\logon.scr
(Gordano Ltd) C:\Gordano\Bin\NTMManager.EXE
(Gordano Ltd) C:\Gordano\Bin\WWW.EXE
() C:\Gordano\MySQL\bin\mysqld-nt.exe
(Gordano Ltd) C:\Gordano\Bin\POP.EXE
(Gordano Ltd) C:\Gordano\Bin\LDAP.EXE
(Gordano Ltd) C:\Gordano\Bin\POST.EXE
(Gordano Ltd) C:\Gordano\Bin\SMTP.EXE
(Gordano Ltd) C:\Gordano\Bin\LIST.EXE
(Gordano Ltd) C:\Gordano\Bin\IMAP.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rdpclip.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ATIModeChange] - Ati2mdxx.exe
HKLM\...\Run: [bacstray] - C:\Program Files\Broadcom\BACS\BacsTray.exe
HKLM-x32\...\Run: [Symantec Backup Exec System Recovery 7.0] - C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe [2037352 2007-03-28] (Symantec Corporation)
HKLM\...\Winlogon: [UIHost] C:\Windows\system32\logonui.exe [662016 2005-11-30] ( (Microsoft Corporation))
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\crypt32chain: C:\WINDOWS\system32\crypt32.dll (Microsoft Corporation)
Winlogon\Notify\cryptnet: C:\WINDOWS\system32\cryptnet.dll (Microsoft Corporation)
Winlogon\Notify\cscdll: C:\WINDOWS\system32\cscdll.dll (Microsoft Corporation)
Winlogon\Notify\dimsntfy: C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
Winlogon\Notify\ScCertProp: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\Schedule: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\sclgntfy: C:\WINDOWS\system32\sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\SensLogn: C:\WINDOWS\system32\WlNotify.dll (Microsoft Corporation)
Winlogon\Notify\termsrv: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\wlballoon: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\crypt32chain-x32: C:\WINDOWS\SysWOW64\crypt32.dll (Microsoft Corporation)
Winlogon\Notify\cryptnet-x32: C:\WINDOWS\SysWOW64\cryptnet.dll (Microsoft Corporation)
Winlogon\Notify\cscdll-x32: C:\WINDOWS\SysWOW64\cscdll.dll (Microsoft Corporation)
Winlogon\Notify\dimsntfy-x32: C:\WINDOWS\SysWOW64\dimsntfy.dll (Microsoft Corporation)
Winlogon\Notify\EFS-x32: C:\WINDOWS\SysWOW64\sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\ScCertProp-x32: wlnotify.dll [X]
Winlogon\Notify\Schedule-x32: wlnotify.dll [X]
Winlogon\Notify\sclgntfy-x32: C:\WINDOWS\SysWOW64\sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\SensLogn-x32: WlNotify.dll [X]
Winlogon\Notify\wlballoon-x32: wlnotify.dll [X]
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKLM-x32\...\Command Processor:  <======= ATTENTION
HKU\.DEFAULT\...\Run: [] - [X]
HKU\.DEFAULT\...\RunOnce: [tscuninstall] - C:\Windows\system32\tscupgrd.exe [62464 2005-11-30] (Microsoft Corporation)
HKU\.DEFAULT\...\RunOnce: [] - [X]
HKU\S-1-5-19\...\RunOnce: [tscuninstall] - C:\Windows\system32\tscupgrd.exe [62464 2005-11-30] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] - C:\Windows\system32\tscupgrd.exe [62464 2005-11-30] (Microsoft Corporation)
HKU\S-1-5-21-3573654769-640652741-670981993-500\...\Run: [] - [X]
HKU\S-1-5-21-3573654769-640652741-670981993-500\...\MountPoints2: {27f65c16-7b1b-11dc-9830-00142220b828} - F:\wd_windows_tools\setup.exe
IFEO\Your Image File Name Here without a path: [Debugger] ntsd -d
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli ? pswdsync
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
SSODL-x32: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\syswow64\SHELL32.dll (Microsoft Corporation)
SSODL-x32: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\syswow64\SHELL32.dll (Microsoft Corporation)
SSODL-x32: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysWOW64\stobject.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM-x32 - DefaultScope value is missing.
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\Windows\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\Windows\system32\SHELL32.dll (Microsoft Corporation)
DPF: HKLM-x32 {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238779115347
DPF: HKLM-x32 {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238779095169
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\Windows\system32\mshtml.dll (Microsoft Corporation)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SysWOW64\urlmon.dll (Microsoft Corporation)
Handler-x32: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\Windows\SysWow64\mshtml.dll (Microsoft Corporation)
Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\Windows\system32\SHELL32.dll (Microsoft Corporation)
Filter-x32: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\SysWOW64\urlmon.dll (Microsoft Corporation)
Filter-x32: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SysWOW64\urlmon.dll (Microsoft Corporation)
Filter-x32: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\Windows\SysWow64\SHELL32.dll (Microsoft Corporation)
ShellExecuteHooks: URL Exec Hook - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll [10502144 2009-02-10] (Microsoft Corporation)
ShellExecuteHooks-x32: URL Exec Hook - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\SysWOW64\shell32.dll [8384000 2009-02-10] (Microsoft Corporation)
Winsock: Catalog5 03 C:\WINDOWS\SysWOW64\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 03 %SystemRoot%\System32\mswsock.dll [490496] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{666C91F9-D643-42AF-B93B-6B29E08DE247}: [NameServer]172.16.0.15,72.235.82.178

==================== Services (Whitelisted) =================

R2 AeLookupSvc; C:\Windows\SysWOW64\aelupsvc.dll [26624 2005-11-30] (Microsoft Corporation)
S4 Alerter; C:\Windows\system32\alrsvc.dll [29696 2005-11-30] (Microsoft Corporation)
S3 ALG; C:\Windows\SysWOW64\alg.exe [45056 2005-11-30] (Microsoft Corporation)
S2 Ati HotKey Poller; C:\Windows\system32\Ati2evxx.exe [431616 2005-09-06] (ATI Technologies Inc.)
R2 AudioSrv; C:\Windows\SysWOW64\audiosrv.dll [41472 2005-11-30] (Microsoft Corporation)
R2 Automatic LiveUpdate Scheduler; C:\Program Files (x86)\Symantec\LiveUpdate\ALUSchedulerSvc.exe [194240 2006-10-31] (Symantec Corporation)
R2 Backup Exec System Recovery; C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe [3290728 2007-03-28] (Symantec Corporation)
S3 BINLSVC; C:\Windows\system32\tcpsvcs.exe [27648 2005-11-30] (Microsoft Corporation)
R2 Browser; C:\Windows\SysWOW64\browser.dll [78336 2005-11-30] (Microsoft Corporation)
S4 ClipSrv; C:\Windows\system32\clipsrv.exe [49664 2005-11-30] (Microsoft Corporation)
S4 ClipSrv; C:\Windows\SysWOW64\clipsrv.exe [32256 2005-11-30] (Microsoft Corporation)
R2 dcevt32; C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcevt32.exe [77824 2005-09-06] (Dell Inc.)
R2 dcstor32; C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dcstor32.exe [114688 2005-09-06] (Dell Inc.)
R2 Dfs; C:\Windows\system32\Dfssvc.exe [318976 2005-11-30] (Microsoft Corporation)
R2 Dfs; C:\Windows\SysWOW64\Dfssvc.exe [164352 2005-11-30] (Microsoft Corporation)
S3 dmadmin; C:\Windows\System32\dmadmin.exe [398848 2005-11-30] (Microsoft Corporation)
R2 dmserver; C:\Windows\System32\dmserver.dll [37376 2005-11-30] (Microsoft Corporation)
R2 ERSvc; C:\Windows\System32\ersvc.dll [31744 2005-11-30] (Microsoft Corporation)
S2 GMSCollaboration; C:\Gordano\Bin\GMSCollaboration.EXE [1867776 2010-11-11] (Gordano Ltd)
R3 GMSLDAP; C:\Gordano\Bin\LDAP.EXE [1413120 2010-11-11] (Gordano Ltd)
R2 GMSManager; C:\Gordano\Bin\NTMManager.EXE [1097728 2010-11-11] (Gordano Ltd)
S4 GMSMessenger; C:\Gordano\Bin\GLMMessenger.EXE [1806336 2010-11-11] (Gordano Ltd)
S3 GMSSNMP; C:\Gordano\Bin\GMSSNMP.EXE [1277952 2010-11-11] (Gordano Ltd)
R3 GMSSQL; C:\Gordano\MySQL\bin\mysqld-nt.exe [1142784 2011-03-16] ()
S3 Groveler; C:\Windows\system32\grovel.exe [143872 2005-11-30] (Microsoft Corporation)
R2 helpsvc; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [77824 2005-11-30] (Microsoft Corporation)
R3 HTTPFilter; C:\Windows\System32\w3ssl.dll [21504 2005-11-30] (Microsoft Corporation)
R2 IAS; C:\Windows\System32\ias.dll [10752 2005-11-30] (Microsoft Corporation)
R2 IAS; C:\Windows\SysWOW64\ias.dll [8192 2005-11-30] (Microsoft Corporation)
R3 IASJet; C:\Windows\SysWOW64\iasrecst.dll [162816 2005-11-30] (Microsoft Corporation)
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [17920 2005-11-30] (Microsoft Corporation)
R2 IMAP; C:\Gordano\Bin\IMAP.EXE [1949696 2010-11-11] (Gordano Ltd)
S4 ImapiService; C:\WINDOWS\system32\imapi.exe [265728 2005-11-30] (Microsoft Corporation)
S4 IsmServ; C:\Windows\System32\ismserv.exe [59904 2005-11-30] (Microsoft Corporation)
S4 IsmServ; C:\Windows\SysWOW64\ismserv.exe [36352 2005-11-30] (Microsoft Corporation)
S4 kdc; C:\Windows\System32\lsass.exe [14336 2005-11-30] (Microsoft Corporation)
S4 LicenseService; C:\Windows\System32\llssrv.exe [191488 2005-11-30] (Microsoft Corporation)
S4 LicenseService; C:\Windows\SysWOW64\llssrv.exe [94720 2005-11-30] (Microsoft Corporation)
R2 LIST; C:\Gordano\Bin\LIST.EXE [1617920 2010-11-11] (Gordano Ltd)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_2.EXE [2541248 2006-10-31] (Symantec Corporation)
S4 Messenger; C:\Windows\System32\msgsvc.dll [57344 2005-11-30] (Microsoft Corporation)
S4 mnmsrvc; C:\WINDOWS\SysWOW64\mnmsrvc.exe [32768 2005-11-30] (Microsoft Corporation)
R2 mr2kserv; C:\Program Files (x86)\Dell\SysMgt\sm\mr2kserv.exe [69632 2005-03-17] (LSI  Logic Corporation)
R2 MSFtpsvc; C:\Windows\system32\inetsrv\inetinfo.exe [17920 2005-11-30] (Microsoft Corporation)
S4 NetDDE; C:\Windows\system32\netdde.exe [160768 2005-11-30] (Microsoft Corporation)
S4 NetDDEdsdm; C:\Windows\system32\netdde.exe [160768 2005-11-30] (Microsoft Corporation)
R3 Netman; C:\Windows\SysWOW64\netman.dll [264704 2005-11-30] (Microsoft Corporation)
R3 Nla; C:\Windows\System32\mswsock.dll [490496 2008-06-21] (Microsoft Corporation)
R3 Nla; C:\Windows\SysWOW64\mswsock.dll [232448 2008-06-21] (Microsoft Corporation)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [1157632 2005-11-30] (Microsoft Corporation)
R2 NtFrs; C:\Windows\SysWOW64\ntfrs.exe [791552 2005-11-30] (Microsoft Corporation)
S3 NtLmSsp; C:\Windows\system32\lsass.exe [14336 2005-11-30] (Microsoft Corporation)
S3 NtmsSvc; C:\Windows\system32\ntmssvc.dll [794112 2005-11-30] (Microsoft Corporation)
R2 omsad; C:\Program Files (x86)\Dell\SysMgt\oma\bin\omsad32.exe [28793 2005-08-10] (Dell Inc.)
R2 PlugPlay; C:\Windows\system32\services.exe [225792 2009-03-19] (Microsoft Corporation)
R2 PolicyAgent; C:\Windows\system32\lsass.exe [14336 2005-11-30] (Microsoft Corporation)
R2 POP; C:\Gordano\Bin\POP.EXE [1265664 2010-11-11] (Gordano Ltd)
R2 POST; C:\Gordano\Bin\POST.EXE [1232896 2010-11-11] (Gordano Ltd)
S3 RasAuto; C:\Windows\SysWOW64\rasauto.dll [91648 2005-11-30] (Microsoft Corporation)
R3 RasMan; C:\Windows\SysWOW64\rasmans.dll [181760 2006-06-22] (Microsoft Corporation)
S3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [212480 2005-11-30] (Microsoft Corporation)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2009-10-20] (CACE Technologies, Inc.)
S3 RpcLocator; C:\Windows\SysWOW64\locator.exe [71680 2005-11-30] (Microsoft Corporation)
S3 rqs; C:\WINDOWS\system32\rqs.exe [44032 2005-11-30] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [103424 2005-11-30] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [16896 2005-11-30] (Microsoft Corporation)
S3 SCardSvr; C:\Windows\System32\SCardSvr.exe [166400 2005-11-30] (Microsoft Corporation)
R2 Schedule; C:\Windows\SysWOW64\schedsvc.dll [202240 2005-11-30] (Microsoft Corporation)
R2 seclogon; C:\Windows\SysWOW64\seclogon.dll [18944 2005-11-30] (Microsoft Corporation)
R2 Server Administrator; C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\omaws32.exe [41075 2005-08-10] ()
R2 SMTP; C:\Gordano\Bin\SMTP.EXE [2109440 2010-11-11] (Gordano Ltd)
R2 SNMP; C:\Windows\System32\snmp.exe [60928 2006-11-21] (Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [46080 2006-11-21] (Microsoft Corporation)
S2 SysmonLog; C:\Windows\system32\smlogsvc.exe [133120 2005-11-30] (Microsoft Corporation)
S2 SysmonLog; C:\Windows\SysWOW64\smlogsvc.exe [96256 2005-11-30] (Microsoft Corporation)
R2 TermServLicensing; C:\Windows\system32\lserver.exe [538112 2005-11-30] (Microsoft Corporation)
S3 TFTPD; C:\Windows\system32\tftpd.exe [29184 2005-11-30] (Microsoft Corporation)
S4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [113152 2005-11-30] (Microsoft Corporation)
S4 TrkSvr; C:\Windows\system32\trksvr.dll [86528 2005-11-30] (Microsoft Corporation)
S4 TrkSvr; C:\Windows\SysWOW64\trksvr.dll [50688 2005-11-30] (Microsoft Corporation)
S3 TrkWks; C:\Windows\SysWOW64\trkwks.dll [87040 2005-11-30] (Microsoft Corporation)
S4 Tssdis; C:\Windows\System32\tssdis.exe [99840 2005-11-30] (Microsoft Corporation)
S3 UMWdf; C:\WINDOWS\system32\wdfmgr.exe [62976 2005-11-30] (Microsoft Corporation)
S3 UMWdf; C:\WINDOWS\SysWOW64\wdfmgr.exe [39424 2005-11-30] (Microsoft Corporation)
S3 UPS; C:\Windows\System32\ups.exe [34816 2005-11-30] (Microsoft Corporation)
S3 UPS; C:\Windows\SysWOW64\ups.exe [16896 2005-11-30] (Microsoft Corporation)
R2 W3SVC; C:\WINDOWS\system32\inetsrv\iisw3adm.dll [312320 2005-11-30] (Microsoft Corporation)
S3 WmdmPmSN; C:\WINDOWS\SysWOW64\mspmsnsv.dll [25088 2005-11-30] (Microsoft Corporation)
S3 Wmi; C:\Windows\System32\advapi32.dll [1051136 2009-03-19] (Microsoft Corporation)
S3 Wmi; C:\Windows\SysWOW64\advapi32.dll [620032 2009-03-19] (Microsoft Corporation)
R2 wuauserv; C:\WINDOWS\system32\wuauserv.dll [12288 2005-11-30] (Microsoft Corporation)
R2 WWW; C:\Gordano\Bin\WWW.EXE [2850816 2010-11-11] (Gordano Ltd)
R2 WZCSVC; C:\Windows\System32\wzcsvc.dll [503808 2005-11-30] (Microsoft Corporation)
R2 WZCSVC; C:\Windows\SysWOW64\wzcsvc.dll [373248 2005-11-30] (Microsoft Corporation)
S3 xmlprov; C:\Windows\System32\xmlprov.dll [326144 2005-11-30] (Microsoft Corporation)
S3 xmlprov; C:\Windows\SysWOW64\xmlprov.dll [131584 2005-11-30] (Microsoft Corporation)
R2 Eventlog;  [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]

==================== Drivers (Whitelisted) ====================

S4 Abiosdsk; No ImagePath
S4 ACPIEC; C:\Windows\System32\Drivers\ACPIEC.sys [18432 2005-11-30] (Microsoft Corporation)
S4 adpu160m; No ImagePath
S4 adpu320; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 AmdIde; No ImagePath
S4 arc; No ImagePath
S4 Atdisk; No ImagePath
S3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [1605120 2005-09-06] (ATI Technologies Inc.)
S3 Atmarpc; C:\Windows\System32\DRIVERS\atmarpc.sys [106496 2005-11-30] (Microsoft Corporation)
R3 audstub; C:\Windows\System32\DRIVERS\audstub.sys [5632 2005-03-24] (Microsoft Corporation)
R2 CdaC15BA; C:\Windows\System32\DRIVERS\CdaC15BA.sys [13312 2005-11-30] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
R2 CdaD10BA; C:\Windows\System32\DRIVERS\CdaD10BA.sys [13312 2005-11-30] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
S1 Changer; No ImagePath
S4 ClusDisk; C:\Windows\System32\DRIVERS\ClusDisk.sys [112128 2005-11-30] (Microsoft Corporation)
S4 CmdIde; No ImagePath
S4 cpqcissm; No ImagePath
R3 dcdbas; C:\Windows\System32\DRIVERS\dcdbas64.sys [35328 2005-09-06] (Dell Inc.)
R3 dcdipm; C:\Windows\System32\DRIVERS\dcdipm64.sys [49664 2005-09-06] (Dell Inc.)
R0 DfsDriver; C:\Windows\System32\drivers\Dfs.sys [52736 2005-11-30] (Microsoft Corporation)
S4 dmboot; C:\Windows\System32\drivers\dmboot.sys [415232 2005-11-30] (Microsoft Corporation)
R0 dmio; C:\Windows\System32\drivers\dmio.sys [243712 2005-11-30] (Microsoft Corporation)
R0 dmload; C:\Windows\System32\drivers\dmload.sys [9216 2005-11-30] (Microsoft Corporation)
S4 dpti2o; No ImagePath
S3 E1000; C:\Windows\System32\DRIVERS\e1G5132e.sys [225536 2005-09-06] (Intel Corporation)
S4 elxstor; No ImagePath
R1 Fips; C:\Windows\System32\Drivers\Fips.sys [50688 2005-11-30] (Microsoft Corporation)
R0 Ftdisk; C:\Windows\System32\DRIVERS\ftdisk.sys [240128 2005-11-30] (Microsoft Corporation)
R3 Gpc; C:\Windows\System32\DRIVERS\msgpc.sys [71168 2005-11-30] (Microsoft Corporation)
S4 hpcisss; No ImagePath
S1 i2omgmt; No ImagePath
S4 iirsp; No ImagePath
S1 imapi; C:\Windows\System32\DRIVERS\imapi.sys [72704 2005-11-30] (Microsoft Corporation)
S3 Ip6Fw; C:\Windows\System32\DRIVERS\Ip6Fw.sys [48128 2005-11-30] (Microsoft Corporation)
R1 IPSec; C:\Windows\System32\DRIVERS\ipsec.sys [154624 2005-11-30] (Microsoft Corporation)
R3 l2nd; C:\Windows\System32\DRIVERS\bxnd52a.sys [86568 2011-01-14] (Broadcom Corporation)
U3 LicenseInfo; No ImagePath
S4 lp6nds35; No ImagePath
R1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [8192 2005-11-30] (Microsoft Corporation)
R0 msas2k3; C:\Windows\System32\drivers\msas2k3.sys [41984 2010-03-11] (LSI Corporation)
S4 nfrd960; No ImagePath
S3 nm; C:\Windows\System32\DRIVERS\NMnt.sys [71168 2005-11-30] (Microsoft Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [47632 2009-10-20] (CACE Technologies, Inc.)
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
R3 PORTACCESSOR_1; C:\Program Files (x86)\Dell\SysMgt\oldiags\packages\PORTACCESSOR64.sys [5632 2005-07-27] (Dell Inc.)
S3 Portmap; C:\Windows\System32\DRIVERS\portmap.sys [36864 2005-11-23] (Microsoft Corporation)
R3 Ptilink; C:\Windows\System32\DRIVERS\ptilink.sys [31232 2005-11-30] (Parallel Technologies, Inc.)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [19936 2011-05-06] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [13280 2011-05-06] ()
S4 ql2300; No ImagePath
R3 Raspti; C:\Windows\System32\DRIVERS\raspti.sys [31232 2005-11-30] (Microsoft Corporation)
R1 redbook; C:\Windows\System32\DRIVERS\redbook.sys [64000 2005-03-24] (Microsoft Corporation)
S3 RpcXdr; C:\Windows\System32\DRIVERS\rpcxdr.sys [101376 2005-11-23] (Microsoft Corporation)
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [130048 2005-11-30] (Microsoft Corporation)
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [170496 2005-11-30] (Microsoft Corporation)
S4 Simbad; No ImagePath
R0 SIS; C:\Windows\System32\DRIVERS\sis.sys [107520 2005-11-30] (Microsoft Corporation)
R0 SMR410; C:\Windows\System32\drivers\SMR410.SYS [96856 2014-03-20] (Symantec Corporation)
S4 symc8xx; No ImagePath
S4 symmpi; No ImagePath
R0 symsnap; C:\Windows\System32\DRIVERS\symsnap.sys [208696 2007-03-28] (StorageCraft)
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
R3 Update; C:\Windows\System32\DRIVERS\update.sys [152576 2007-05-30] (Microsoft Corporation)
R2 v2imount; C:\Windows\System32\DRIVERS\v2imount.sys [55096 2007-03-28] (Symantec Corporation)
S4 ViaIde; No ImagePath
S3 VProEventMonitor; C:\Windows\System32\DRIVERS\vproeventmonitor.sys [19256 2007-03-28] (Symantec Corporation)
S3 WDICA; No ImagePath
S3 WLBS; C:\Windows\System32\DRIVERS\wlbs.sys [280576 2005-11-30] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVCx32: Browser -> C:\Windows\SysWOW64\browser.dll (Microsoft Corporation)
NETSVCx32: CryptSvc -> C:\Windows\SysWOW64\cryptsvc.dll (Microsoft Corporation)
NETSVCx32: DMServer -> C:\Windows\SysWOW64\dmserver.dll ==> No File.
NETSVCx32: EventSystem -> C:\WINDOWS\SysWOW64\es.dll (Microsoft Corporation)
NETSVCx32: HidServ -> C:\Windows\SysWOW64\hidserv.dll ==> No File.
NETSVCx32: Iprip -> No ServiceDLL Path.
NETSVCx32: LanmanWorkstation -> C:\Windows\SysWOW64\wkssvc.dll ==> No File.
NETSVCx32: Messenger -> C:\Windows\SysWOW64\msgsvc.dll ==> No File.
NETSVCx32: Netman -> C:\Windows\SysWOW64\netman.dll (Microsoft Corporation)
NETSVCx32: Sacsvr -> C:\Windows\SysWOW64\sacsvr.dll ==> No File.
NETSVCx32: Seclogon -> C:\Windows\SysWOW64\seclogon.dll (Microsoft Corporation)
NETSVCx32: TrkWks -> C:\Windows\SysWOW64\trkwks.dll (Microsoft Corporation)
NETSVCx32: TrkSvr -> C:\Windows\SysWOW64\trksvr.dll (Microsoft Corporation)
NETSVCx32: WZCSVC -> C:\Windows\SysWOW64\wzcsvc.dll (Microsoft Corporation)
NETSVCx32: xmlprov -> C:\Windows\SysWOW64\xmlprov.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2014-03-27 08:44 - 2014-03-27 08:44 - 00000000 ____D () C:\FRST
2014-03-27 08:43 - 2014-03-27 08:43 - 00001015 _____ () C:\Documents and Settings\administrator\Desktop\AdwCleaner[R1].txt
2014-03-27 08:41 - 2014-03-27 08:43 - 00000000 ____D () C:\AdwCleaner
2014-03-27 08:33 - 2014-03-27 08:44 - 00000000 ____D () C:\Documents and Settings\administrator\Local Settings\Temp\3
2014-03-21 18:54 - 2014-03-21 18:54 - 00000059 _____ () C:\WINDOWS\ssclp.log
2014-03-21 14:46 - 2014-03-21 15:28 - 00000000 ____D () C:\Documents and Settings\administrator\Local Settings\Temp\hsperfdata_administrator
2014-03-21 14:46 - 2014-03-21 14:46 - 00005108 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\JavaDeployReg.log
2014-03-21 14:46 - 2014-03-21 14:46 - 00000000 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\RD9.tmp
2014-03-21 14:46 - 2014-03-21 14:45 - 00312744 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-03-21 14:46 - 2014-03-21 14:45 - 00189352 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-03-21 14:46 - 2014-03-21 14:45 - 00189352 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-03-21 14:46 - 2014-03-21 14:45 - 00168448 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-03-21 14:46 - 2014-03-21 14:45 - 00108968 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2014-03-21 14:45 - 2014-03-21 14:46 - 00029112 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\java_install.log
2014-03-21 14:45 - 2014-03-21 14:45 - 00000000 ____D () C:\Program Files\Java
2014-03-21 14:31 - 2014-03-21 15:28 - 00013348 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\java_install_reg.log
2014-03-21 14:29 - 2014-03-21 14:29 - 30796712 _____ (Oracle Corporation) C:\Documents and Settings\administrator\Desktop\jre-7u51-windows-x64.exe
2014-03-21 12:56 - 2014-03-21 12:56 - 00000085 _____ () C:\WINDOWS\wininit.ini
2014-03-21 10:33 - 2014-03-21 12:56 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-03-21 10:33 - 2014-03-21 10:33 - 00065536 _____ () C:\WINDOWS\system32\config\SpybotSD.evt
2014-03-20 14:19 - 2004-03-01 14:08 - 00000136 _____ () C:\Documents and Settings\administrator\Desktop\RemoveHead.mml
2014-03-20 08:58 - 2014-03-20 08:58 - 00000000 ____D () C:\Documents and Settings\administrator\Start Menu\Programs\HiJackThis
2014-03-20 08:18 - 2014-03-20 08:43 - 00000390 _____ () C:\WINDOWS\system32\Drivers\SMR410.dat
2014-03-20 08:18 - 2014-03-20 08:18 - 00096856 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR410.SYS
2014-03-20 07:53 - 2014-03-27 08:44 - 00000000 ____D () C:\Documents and Settings\administrator\Desktop\Spam Check
2014-03-19 13:51 - 2014-03-20 14:23 - 00000000 ____D () C:\Documents and Settings\administrator\Desktop\Backup
2014-03-19 13:46 - 2014-03-18 08:43 - 367964016 _____ (Microsoft Corporation) C:\Documents and Settings\administrator\Desktop\WindowsServer2003.WindowsXP-KB914961-SP2-x64-ENU.exe
2014-03-19 13:45 - 2014-03-19 13:44 - 73357416 _____ () C:\Documents and Settings\administrator\Desktop\gms.exe
2014-03-18 07:36 - 2014-03-18 07:36 - 00000000 ____D () C:\Program Files\CCleaner

==================== One Month Modified Files and Folders =======

2014-03-27 08:44 - 2014-03-27 08:44 - 00000000 ____D () C:\FRST
2014-03-27 08:44 - 2014-03-27 08:33 - 00000000 ____D () C:\Documents and Settings\administrator\Local Settings\Temp\3
2014-03-27 08:44 - 2014-03-20 07:53 - 00000000 ____D () C:\Documents and Settings\administrator\Desktop\Spam Check
2014-03-27 08:44 - 2006-10-27 10:53 - 00000000 ____D () C:\Gordano
2014-03-27 08:43 - 2014-03-27 08:43 - 00001015 _____ () C:\Documents and Settings\administrator\Desktop\AdwCleaner[R1].txt
2014-03-27 08:43 - 2014-03-27 08:41 - 00000000 ____D () C:\AdwCleaner
2014-03-27 08:42 - 2006-03-28 10:02 - 00000112 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-03-27 07:30 - 2014-01-24 16:43 - 00000258 _____ () C:\WINDOWS\Tasks\sterling-inbound.job
2014-03-27 07:30 - 2006-03-28 11:24 - 00000178 ___SH () C:\Documents and Settings\administrator\ntuser.ini
2014-03-27 06:43 - 2006-03-28 10:03 - 01677741 _____ () C:\WINDOWS\WindowsUpdate.log
2014-03-27 01:00 - 2014-01-24 16:43 - 00000260 _____ () C:\WINDOWS\Tasks\sterling-outbound.job
2014-03-27 01:00 - 2009-07-08 09:52 - 00000222 _____ () C:\WINDOWS\Tasks\log.job
2014-03-26 16:14 - 2006-03-28 11:24 - 00000000 ____D () C:\Documents and Settings\administrator
2014-03-22 07:00 - 2006-03-28 03:53 - 00000000 ____D () C:\WINDOWS\system32\inetsrv
2014-03-22 07:00 - 2006-03-28 03:53 - 00000000 ____D () C:\WINDOWS\repair
2014-03-21 18:54 - 2014-03-21 18:54 - 00000059 _____ () C:\WINDOWS\ssclp.log
2014-03-21 18:54 - 2006-03-28 03:58 - 00950830 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-03-21 18:53 - 2006-03-28 10:03 - 00000000 ____D () C:\WINDOWS\Registration
2014-03-21 15:28 - 2014-03-21 14:46 - 00000000 ____D () C:\Documents and Settings\administrator\Local Settings\Temp\hsperfdata_administrator
2014-03-21 15:28 - 2014-03-21 14:31 - 00013348 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\java_install_reg.log
2014-03-21 14:46 - 2014-03-21 14:46 - 00005108 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\JavaDeployReg.log
2014-03-21 14:46 - 2014-03-21 14:46 - 00000000 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\RD9.tmp
2014-03-21 14:46 - 2014-03-21 14:45 - 00029112 _____ () C:\Documents and Settings\administrator\Local Settings\Temp\java_install.log
2014-03-21 14:45 - 2014-03-21 14:46 - 00312744 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-03-21 14:45 - 2014-03-21 14:46 - 00189352 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-03-21 14:45 - 2014-03-21 14:46 - 00189352 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-03-21 14:45 - 2014-03-21 14:46 - 00168448 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-03-21 14:45 - 2014-03-21 14:46 - 00108968 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2014-03-21 14:45 - 2014-03-21 14:45 - 00000000 ____D () C:\Program Files\Java
2014-03-21 14:29 - 2014-03-21 14:29 - 30796712 _____ (Oracle Corporation) C:\Documents and Settings\administrator\Desktop\jre-7u51-windows-x64.exe
2014-03-21 12:56 - 2014-03-21 12:56 - 00000085 _____ () C:\WINDOWS\wininit.ini
2014-03-21 12:56 - 2014-03-21 10:33 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-03-21 10:33 - 2014-03-21 10:33 - 00065536 _____ () C:\WINDOWS\system32\config\SpybotSD.evt
2014-03-20 14:23 - 2014-03-19 13:51 - 00000000 ____D () C:\Documents and Settings\administrator\Desktop\Backup
2014-03-20 08:58 - 2014-03-20 08:58 - 00000000 ____D () C:\Documents and Settings\administrator\Start Menu\Programs\HiJackThis
2014-03-20 08:43 - 2014-03-20 08:18 - 00000390 _____ () C:\WINDOWS\system32\Drivers\SMR410.dat
2014-03-20 08:18 - 2014-03-20 08:18 - 00096856 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR410.SYS
2014-03-20 07:30 - 2006-03-28 10:09 - 00032556 _____ () C:\WINDOWS\Tasks\SchedLgU.Txt
2014-03-19 13:44 - 2014-03-19 13:45 - 73357416 _____ () C:\Documents and Settings\administrator\Desktop\gms.exe
2014-03-18 10:26 - 2010-01-29 10:41 - 00000000 ____D () C:\Documents and Settings\administrator\Application Data\Wireshark
2014-03-18 08:43 - 2014-03-19 13:46 - 367964016 _____ (Microsoft Corporation) C:\Documents and Settings\administrator\Desktop\WindowsServer2003.WindowsXP-KB914961-SP2-x64-ENU.exe
2014-03-18 07:36 - 2014-03-18 07:36 - 00000000 ____D () C:\Program Files\CCleaner
2014-03-18 07:30 - 2013-08-11 07:00 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-03-15 08:02 - 2006-03-28 03:53 - 00000000 ____D () C:\WINDOWS\security
2014-03-02 14:05 - 2009-04-03 12:23 - 90015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-02-28 08:12 - 2007-10-22 15:32 - 00000000 _____ () C:\WINDOWS\SysWOW64\signal.txt

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe
[2006-03-28 03:47] - [2005-11-30 02:00] - 0922624 ____A (Microsoft Corporation) 2412D710F07F527E99D5FCBD8D6E5B89

C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\explorer.exe
[2006-03-28 03:44] - [2005-11-30 02:00] - 1364480 ____A (Microsoft Corporation) B46A49BD599EBB0A6D97F64E02CF5D51

C:\Windows\SysWOW64\explorer.exe
[2006-03-28 03:42] - [2005-11-30 02:00] - 1050624 ____A (Microsoft Corporation) 4B93BB34AF478A0FD9765D9B73356DC9

C:\Windows\System32\svchost.exe
[2006-03-28 03:46] - [2005-11-30 02:00] - 0025088 ____A (Microsoft Corporation) BDDFEB952617080316692951215793E9

C:\Windows\SysWOW64\svchost.exe
[2006-03-28 03:42] - [2005-11-30 02:00] - 0014336 ____A (Microsoft Corporation) CA8E6441930B54A8B8210061CE5FCCE7

C:\Windows\System32\services.exe
[2006-03-28 03:46] - [2009-03-19 20:42] - 0225792 ____A (Microsoft Corporation) 1BE370B01A0062BDFA2FB40BF5038DAD

C:\Windows\System32\User32.dll
[2007-03-02 00:56] - [2007-03-02 00:56] - 1085952 ____A (Microsoft Corporation) 463A557EF9543B58C6287ED1F650ADCA

C:\Windows\SysWOW64\User32.dll
[2007-03-02 00:56] - [2007-03-02 00:56] - 0602112 ____A (Microsoft Corporation) C7D06220C0A9A87DA13B753962ADAA55

C:\Windows\System32\userinit.exe
[2006-03-28 03:47] - [2005-11-30 02:00] - 0039424 ____A (Microsoft Corporation) 5EF907A339CAF229F3CE38909C93F53B

C:\Windows\SysWOW64\userinit.exe
[2006-03-28 03:42] - [2005-11-30 02:00] - 0026112 ____A (Microsoft Corporation) 29A1877F2D0EACFF20B6507A3C00F31B

C:\Windows\System32\rpcss.dll
[2009-03-19 20:42] - [2009-03-19 20:42] - 0695808 ____A (Microsoft Corporation) D3FA1D0B18EB5F48EE6AB99928017998

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2006-03-28 03:47] - [2005-11-30 02:00] - 0288256 ____A (Microsoft Corporation) 507B666F8E5749DB59BD581B207C1F44

C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by administrator at 2014-03-27 08:44:52
Running from C:\Documents and Settings\administrator\Desktop\Spam Check
Boot Mode: Normal
==========================================================


==================== Security Center ========================


==================== Installed Programs ======================

Active Directory Application Mode Service Pack 1 (HKLM\...\ADAM) (Version:  - Microsoft Corporation)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.12-050317m-022598C-Dell - )
Broadcom Drivers and Management Applications (HKLM\...\{1C1BF886-56B6-4989-AB12-438871EC44CC}) (Version: 14.4.13.2 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.11 - Piriform)
Dell OpenManage Server Administrator (HKCU-x32\...\{A8D0C330-84F0-4675-B997-0E952FA0A0A3}) (Version: 4.5.0 - Dell)
Dell OpenManage Server Administrator (HKLM-x32\...\{A8D0C330-84F0-4675-B997-0E952FA0A0A3}) (Version: 4.5.0 - Dell)
Gordano Messaging Suite (HKCU-x32\...\Gordano Messaging Suite) (Version:  - )
Gordano Messaging Suite (HKLM-x32\...\Gordano Messaging Suite) (Version:  - )
GoToMeeting 4.5.0.457 (HKCU\...\GoToMeeting) (Version:  - )
HiJackThis (HKLM-x32\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)
Intel® PRO Network Connections Drivers (HKLM\...\PROSet) (Version:  - )
J2SE Runtime Environment 5.0 Update 10 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0150100}) (Version: 1.5.0.100 - Sun Microsystems, Inc.)
J2SE Runtime Environment 5.0 Update 11 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0150110}) (Version: 1.5.0.110 - Sun Microsystems, Inc.)
J2SE Runtime Environment 5.0 Update 6 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0150060}) (Version: 1.5.0.60 - Sun Microsystems, Inc.)
J2SE Runtime Environment 5.0 Update 9 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0150090}) (Version: 1.5.0.90 - Sun Microsystems, Inc.)
Java 7 Update 51 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417051FF}) (Version: 7.0.510 - Oracle)
Java™ 6 Update 2 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0160020}) (Version: 1.6.0.20 - Sun Microsystems, Inc.)
Java™ 6 Update 24 (HKCU-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216011FF}) (Version: 6.0.240 - Sun Microsystems, Inc.)
Java™ 6 Update 3 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0160030}) (Version: 1.6.0.30 - Sun Microsystems, Inc.)
Java™ 6 Update 5 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0160050}) (Version: 1.6.0.50 - Sun Microsystems, Inc.)
Java™ 6 Update 7 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0160070}) (Version: 1.6.0.70 - Sun Microsystems, Inc.)
Java™ SE Runtime Environment 6 Update 1 (HKCU-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0160010}) (Version: 1.6.0.10 - Sun Microsystems, Inc.)
LiveUpdate 3.2 (Symantec Corporation) (HKCU-x32\...\LiveUpdate) (Version: 3.2.0.26 - Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.2.0.26 - Symantec Corporation)
Magical Jelly Bean KeyFinder (HKCU-x32\...\KeyFinder_is1) (Version: 2.0.8.2 - Magical Jelly Bean)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKCU-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 (Version:  - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MiniTool Partition Wizard Server Edition 6.0 (HKCU-x32\...\{2C45A4ED-17D5-4DD7-BB4C-74254E31218E}_is1) (Version:  - MiniTool Solution Ltd.)
MiniTool Partition Wizard Server Edition 6.0 (HKLM-x32\...\{2C45A4ED-17D5-4DD7-BB4C-74254E31218E}_is1) (Version:  - MiniTool Solution Ltd.)
MSXML 6 Service Pack 2 (KB954459) (HKLM\...\{DAEEB65B-8B2D-482F-8B02-40470A140275}) (Version: 6.20.1099.0 - Microsoft Corporation)
Symantec Backup Exec System Recovery (HKCU-x32\...\{A8EA8A55-FDBE-4875-B598-DDC15B298270}) (Version: 7.0.0.20351 - Symantec Corporation)
Symantec Backup Exec System Recovery (HKLM-x32\...\{A8EA8A55-FDBE-4875-B598-DDC15B298270}) (Version: 7.0.0.20351 - Symantec Corporation)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKCU-x32\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation) <==== ATTENTION
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM-x32\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB898715) (HKLM\...\KB898715) (Version: 20050502.084331 - Microsoft Corporation)
Update for Windows Server 2003 (KB904942) (HKLM\...\KB904942) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB910437) (HKLM\...\KB910437) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB911280) (HKLM\...\KB911280) (Version: 2 - Microsoft Corporation)
Update for Windows Server 2003 (KB911897) (HKLM\...\KB911897) (Version: 2 - Microsoft Corporation)
Update for Windows Server 2003 (KB912945) (HKLM\...\KB912945) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB914784) (HKLM\...\KB914784) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB922582) (HKLM\...\KB922582) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB927891) (HKLM\...\KB927891) (Version: 5 - Microsoft Corporation)
Update for Windows Server 2003 (KB931836) (HKLM\...\KB931836) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB936357) (HKLM\...\KB936357) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB955839) (HKLM\...\KB955839) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
VNC Free Edition 4.1.2 (HKCU-x32\...\RealVNC_is1) (Version: 4.1.2 - RealVNC Ltd.)
WebEx (HKCU-x32\...\ActiveTouchMeetingClient) (Version:  - WebEx Communications, Inc)
WinDirStat 1.1.2 (HKCU\...\WinDirStat) (Version:  - )
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
WinPcap 4.1.1 (HKCU-x32\...\WinPcapInst) (Version: 4.1.0.1753 - CACE Technologies)
WinPcap 4.1.1 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.1753 - CACE Technologies)
Wireshark 1.2.6 (HKCU-x32\...\Wireshark) (Version: 1.2.6 - The Wireshark developer community, http://www.wireshark.org)
Wireshark 1.2.6 (HKLM-x32\...\Wireshark) (Version: 1.2.6 - The Wireshark developer community, http://www.wireshark.org)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

2006-03-28 03:44 - 2010-12-08 12:49 - 00000766 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
172.16.0.16    TX-SRV.domain.com


==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\log.job => ?
Task: C:\WINDOWS\Tasks\sterling-inbound.job => ?
Task: C:\WINDOWS\Tasks\sterling-outbound.job => ?

==================== Loaded Modules (whitelisted) =============

2006-03-28 03:46 - 2005-11-30 02:00 - 00025088 _____ () C:\WINDOWS\system32\tsd32.dll
2005-08-10 18:57 - 2005-08-10 18:57 - 00041075 _____ () C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\omaws32.exe
2006-10-27 10:53 - 2011-03-16 07:08 - 01142784 _____ () C:\Gordano\MySQL\bin\mysqld-nt.exe
2005-05-18 12:33 - 2005-05-18 12:33 - 00057344 _____ () C:\Program Files (x86)\Dell\SysMgt\sm\dcsipe32.dll
2008-03-27 02:05 - 2008-03-27 02:05 - 00355112 _____ () C:\WINDOWS\SysWOW64\msjetoledb40.dll
2005-08-10 18:54 - 2005-08-10 18:54 - 00057344 _____ () C:\Program Files (x86)\Dell\SysMgt\oma\bin\invmib32.dll
2005-08-10 18:54 - 2005-08-10 18:54 - 00697344 _____ () C:\Program Files (x86)\Dell\SysMgt\oma\bin\libxml2.dll
2006-10-27 10:53 - 2010-11-11 17:43 - 00212992 _____ () C:\Gordano\Bin\ZLib.DLL

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Name: Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #67
Description: Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom Corporation
Service: l2nd
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/20/2014 11:02:44 AM) (Source: Application Error) (User: )
Description: Faulting application WWW.EXE, version 17.1.0.3793, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [WWW.EXE!ws!]

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4) (User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4) (User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4) (User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4) (User: )
Description: SocketManagerunknown listener event: 0

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4) (User: )
Description: SocketManagerunknown listener event: 0

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4) (User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4) (User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4) (User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4) (User: )
Description: SocketManagerunknown listener event: 0


System errors:
=============
Error: (03/21/2014 10:33:40 AM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%1053

Error: (03/21/2014 10:33:40 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.

Error: (03/14/2014 01:20:27 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.

Error: (03/13/2014 11:06:27 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.

Error: (03/13/2014 05:38:27 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.

Error: (03/13/2014 01:06:27 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.

Error: (03/12/2014 09:46:27 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.

Error: (03/12/2014 07:56:27 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.

Error: (03/12/2014 05:26:27 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.

Error: (03/12/2014 03:26:27 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{666C91F9-D643-42AF-B93B-6B29E08DE247}.
The backup browser is stopping.


Microsoft Office Sessions:
=========================
Error: (03/20/2014 11:02:44 AM) (Source: Application Error)(User: )
Description: WWW.EXE17.1.0.3793unknown0.0.0.000000000

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4)(User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4)(User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4)(User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4)(User: )
Description: SocketManagerunknown listener event: 0

Error: (03/20/2014 08:08:47 AM) (Source: WinVNC4)(User: )
Description: SocketManagerunknown listener event: 0

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4)(User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4)(User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4)(User: )
Description: HTTPServeruntrapped: End of stream

Error: (03/20/2014 08:00:24 AM) (Source: WinVNC4)(User: )
Description: SocketManagerunknown listener event: 0


==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 12274.79 MB
Available physical RAM: 9765.53 MB
Total Pagefile: 13797.61 MB
Available Pagefile: 11929.39 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive b: (Shares) (Network) (Total:931.51 GB) (Free:343.48 GB) NTFS
Drive c: () (Fixed) (Total:44.86 GB) (Free:34.13 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:363.51 GB) (Free:315.3 GB) NTFS
Drive e: (CRMSXVOL_EN) (CDROM) (Total:0.61 GB) (Free:0 GB) CDFS
Drive f: (Seagate) (Fixed) (Total:1863.01 GB) (Free:1423.55 GB) NTFS
Drive m: (Shares) (Network) (Total:931.51 GB) (Free:343.48 GB) NTFS
Drive p: (Disk 0 Vol H) (Network) (Total:151.21 GB) (Free:62.21 GB) NTFS
Drive t: (Shares) (Network) (Total:931.51 GB) (Free:343.48 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 408 GB) (Disk ID: 52FA77C8)
Partition 1: (Active) - (Size=45 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=364 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: 9E04739A)
Partition 1: (Not Active) - (Size=-198626966528) - (Type=07 NTFS)

==================== End Of Log ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:30 PM

Posted 27 March 2014 - 01:02 PM

Looks like you Winsock needs to be looked after.
Winsock: Catalog5 03 C:\WINDOWS\SysWOW64\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 03 %SystemRoot%\System32\mswsock.dll [490496] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Follow the instructions on this Microsoft page.
http://support.microsoft.com/kb/317518

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users