Jump to content

Fred007

Members
 View Profile  See their activity

  • Posts

    4

  • Joined

  • Last visited

 Content Type 

Posts posted by Fred007

    I am sending out lots of Spam

    in Resolved Malware Removal Logs

    Posted

    Yes this is a small business.

    It is Microsoft Small Business Server 2003

    We put the free version of malware on when we started having problems. We have since ordered the full version but have not updated the software yet because we did not want to alter any of the results.

    should we go ahead and finish the registration and rerun Malware?

    Thanks

    Fred

    Hi,

    I would like to know two things first. :)

    1. Why are you using a server version of Windows?

    2. Is this a business PC?

    I am sending out lots of Spam

    in Resolved Malware Removal Logs

    Posted

    Thanks for the reply!

    First log OTL.txt as follows:

    OTL logfile created on: 8/26/2010 3:37:26 PM - Run 1

    OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Administrator\Desktop

    Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController

    Internet Explorer (Version = 6.0.3790.3959)

    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 45.00% Memory free

    8.00 Gb Paging File | 5.00 Gb Available in Paging File | 66.00% Paging File free

    Paging file location(s): c:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

    Drive C: | 19.99 Gb Total Space | 7.22 Gb Free Space | 36.15% Space Free | Partition Type: NTFS

    Drive D: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS

    Drive E: | 48.00 Gb Total Space | 14.33 Gb Free Space | 29.86% Space Free | Partition Type: NTFS

    F: Drive not present or media not loaded

    G: Drive not present or media not loaded

    H: Drive not present or media not loaded

    I: Drive not present or media not loaded

    Drive R: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS

    Drive V: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS

    Computer Name: CLOWER-08

    Current User Name: administrator

    Logged in as Administrator.

    Current Boot Mode: Normal

    Scan Mode: All users

    Company Name Whitelist: On

    Skip Microsoft Files: On

    File Age = 90 Days

    Output = Standard

    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

    PRC - [2010/06/22 08:48:23 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe

    PRC - [2010/06/22 08:48:18 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe

    PRC - [2010/06/22 08:48:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe

    PRC - [2010/06/22 08:48:12 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe

    PRC - [2010/06/22 08:48:10 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe

    PRC - [2010/06/22 08:48:09 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe

    PRC - [2009/08/06 21:43:46 | 000,034,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Update Services\service\bin\wsusservice.exe

    PRC - [2009/05/28 12:14:55 | 000,157,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe

    PRC - [2009/02/16 06:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe

    PRC - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe

    PRC - [2008/12/16 20:39:30 | 009,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe

    PRC - [2008/11/25 23:59:27 | 005,266,432 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\store.exe

    PRC - [2008/11/25 22:43:19 | 003,598,848 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\emsmta.exe

    PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

    PRC - [2008/11/24 22:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe

    PRC - [2007/04/23 11:53:45 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

    PRC - [2007/04/23 11:53:45 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe

    PRC - [2007/04/23 11:53:45 | 000,509,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logon.scr

    PRC - [2007/04/23 11:53:45 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe

    PRC - [2007/04/23 11:53:45 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe

    PRC - [2007/04/23 11:53:45 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe

    PRC - [2007/04/23 11:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe

    PRC - [2007/04/23 11:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

    PRC - [2007/04/23 11:53:45 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe

    PRC - [2007/04/23 11:53:45 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe

    PRC - [2007/04/23 11:53:45 | 000,027,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\davcdata.exe

    PRC - [2007/04/23 11:53:45 | 000,021,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe

    PRC - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe

    PRC - [2007/04/23 11:53:45 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe

    PRC - [2007/04/19 14:08:48 | 000,031,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\OWSTIMER.EXE

    PRC - [2006/10/23 00:48:20 | 000,040,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

    PRC - [2006/04/07 15:40:48 | 000,061,526 | ---- | M] ( ) -- C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe

    PRC - [2006/02/15 12:48:00 | 000,176,128 | R--- | M] () -- C:\Program Files\RAID Web Console 2\MegaMonitor\Monitor.exe

    PRC - [2005/11/06 08:48:26 | 000,040,960 | ---- | M] () -- C:\Program Files\RAID Web Console 2\Framework\VivaldiFramework.exe

    PRC - [2005/08/25 21:10:14 | 008,920,064 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\mad.exe

    PRC - [2005/08/25 21:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\exmgmt.exe

    PRC - [2005/05/03 22:07:32 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

    PRC - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE

    PRC - [2005/04/29 19:53:57 | 000,022,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows Small Business Server\Monitoring\wblogsvc.exe

    PRC - [2005/04/29 19:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe

    PRC - [2005/01/15 10:12:56 | 000,045,163 | ---- | M] () -- C:\Program Files\RAID Web Console 2\JRE\bin\javaw.exe

    PRC - [2003/09/28 16:16:12 | 000,237,568 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHost.exe

    ========== Modules (SafeList) ==========

    MOD - [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

    MOD - [2007/04/23 11:53:45 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

    MOD - [2007/04/23 11:53:45 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll

    MOD - [2007/02/17 01:04:16 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (WinHttpAutoProxySvc)

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

    SRV - [2010/06/22 08:48:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)

    SRV - [2009/08/06 21:43:46 | 000,034,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Update Services\Service\bin\WsusService.exe -- (WsusService)

    SRV - [2009/08/06 21:35:52 | 000,066,984 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Update Services\Service\bin\WsusCertServer.exe -- (WSusCertServer)

    SRV - [2009/05/28 12:14:55 | 000,157,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS) Windows Internet Name Service (WINS)

    SRV - [2009/02/16 06:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)

    SRV - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe -- (MSSQL$SBSMONITORING)

    SRV - [2008/12/16 20:39:30 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe -- (MSSQL$SHAREPOINT)

    SRV - [2008/12/16 17:51:14 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE -- (SQLAgent$SHAREPOINT)

    SRV - [2008/11/25 23:59:27 | 005,266,432 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\store.exe -- (MSExchangeIS)

    SRV - [2008/11/25 22:43:19 | 003,598,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\emsmta.exe -- (MSExchangeMTA)

    SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)

    SRV - [2008/11/24 22:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe -- (MSSQL$MICROSOFT##SSEE) Windows Internal Database (MICROSOFT##SSEE)

    SRV - [2007/09/07 13:12:20 | 000,038,424 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\PDS.EXE -- (Intel PDS)

    SRV - [2007/09/07 13:12:20 | 000,030,232 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\XFR.EXE -- (Intel File Transfer)

    SRV - [2007/09/07 13:12:16 | 000,058,912 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\IAO.EXE -- (Intel Alert Originator)

    SRV - [2007/09/07 13:12:16 | 000,038,440 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler)

    SRV - [2007/04/23 11:53:45 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)

    SRV - [2007/04/23 11:53:45 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)

    SRV - [2007/04/23 11:53:45 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)

    SRV - [2007/04/23 11:53:45 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)

    SRV - [2007/04/23 11:53:45 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)

    SRV - [2007/04/23 11:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)

    SRV - [2007/04/23 11:53:45 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)

    SRV - [2007/04/23 11:53:45 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)

    SRV - [2007/04/23 11:53:45 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)

    SRV - [2007/04/23 11:53:45 | 000,037,888 | ---- | M] (Microsoft Corporation) [unknown | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)

    SRV - [2007/04/23 11:53:45 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (DHCPServer)

    SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)

    SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)

    SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)

    SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc) Network News Transfer Protocol (NNTP)

    SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)

    SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)

    SRV - [2007/04/23 11:53:45 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)

    SRV - [2007/04/19 14:08:48 | 000,031,584 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE -- (SPTimer)

    SRV - [2006/02/15 12:48:00 | 000,176,128 | R--- | M] () [Auto | Running] -- C:\Program Files\RAID Web Console 2\MegaMonitor\Monitor.exe -- (MegaMonitorSrv)

    SRV - [2005/11/06 08:48:26 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\Program Files\RAID Web Console 2\Framework\VivaldiFramework.exe -- (MSMFramework)

    SRV - [2005/08/25 21:10:14 | 008,920,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\mad.exe -- (MSExchangeSA)

    SRV - [2005/08/25 21:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\exmgmt.exe -- (MSExchangeMGMT)

    SRV - [2005/08/25 20:29:52 | 000,339,456 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- E:\exchange\bin\srsmain.exe -- (MSExchangeSRS)

    SRV - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE -- (SQLAgent$SBSMONITORING)

    SRV - [2005/04/29 19:53:57 | 000,022,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows Small Business Server\Monitoring\wblogsvc.exe -- (WBLOGSVC)

    SRV - [2005/04/29 19:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)

    SRV - [2003/09/28 16:16:12 | 000,237,568 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] -- C:\Program Files\DigitalPersona\Bin\DpHost.exe -- (DpHost)

    SRV - [2003/06/03 02:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- E:\exchange\bin\events.exe -- (MSExchangeES)

    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ipinip.sys -- (IpInIp)

    DRV - [2010/06/22 08:48:12 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)

    DRV - [2010/06/01 08:02:37 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)

    DRV - [2010/04/28 10:45:31 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)

    DRV - [2008/05/06 10:06:59 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TOUCHDSP.sys -- (TOUCHDSP)

    DRV - [2008/05/06 10:06:59 | 000,020,736 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TouchSta.SYS -- (TOUCHSTA)

    DRV - [2007/04/23 11:53:45 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)

    DRV - [2007/04/23 11:53:45 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ClusDisk.sys -- (ClusDisk)

    DRV - [2007/04/23 11:53:45 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)

    DRV - [2007/02/17 03:07:16 | 000,029,184 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)

    DRV - [2007/02/17 03:04:28 | 000,028,160 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)

    DRV - [2007/02/17 03:04:28 | 000,026,624 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)

    DRV - [2007/02/17 03:04:28 | 000,024,064 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)

    DRV - [2007/02/17 02:34:06 | 000,024,064 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)

    DRV - [2007/02/17 01:51:06 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dpti2o.sys -- (dpti2o)

    DRV - [2007/02/17 01:31:22 | 000,009,216 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

    DRV - [2007/02/16 22:55:58 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

    DRV - [2007/01/29 14:37:12 | 000,047,104 | ---- | M] (DigitalPersona, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbdpfp.sys -- (usbdpfp)

    DRV - [2007/01/29 14:37:12 | 000,046,592 | ---- | M] (DigitalPersona, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dpK00701.sys -- (dpK00701)

    DRV - [2006/04/05 22:03:54 | 001,431,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

    DRV - [2006/04/03 08:51:06 | 000,199,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®

    DRV - [2006/02/17 12:42:32 | 000,018,432 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MSAS2K3.SYS -- (msas2k3)

    DRV - [2006/02/17 12:42:32 | 000,017,280 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MEGASAS.SYS -- (megasas)

    DRV - [2005/08/25 19:29:06 | 000,196,192 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)

    DRV - [2003/03/24 22:13:08 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)

    DRV - [2003/03/24 22:05:14 | 000,048,640 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)

    DRV - [2003/03/24 22:05:14 | 000,041,472 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)

    DRV - [2003/03/24 22:05:12 | 000,050,688 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)

    DRV - [2003/03/24 22:05:08 | 000,054,272 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)

    DRV - [2003/03/24 22:05:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cpqarray.sys -- (Cpqarray)

    DRV - [2003/03/24 22:04:50 | 000,007,168 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)

    ========== Standard Registry (SafeList) ==========

    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm

    IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://companyweb

    IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = clower-08:80

    O1 HOSTS File: ([2007/04/23 11:53:45 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

    O1 - Hosts: 127.0.0.1 localhost

    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

    O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

    O4 - HKLM..\Run: [DWPersistentQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)

    O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe (SurfRight B.V.)

    O4 - HKLM..\Run: [patches] File not found

    O4 - HKLM..\Run: [Popup] C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe ( )

    O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)

    O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)

    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)

    O4 - Startup: C:\Documents and Settings\AIXV5\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)

    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()

    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)

    O4 - Startup: C:\Documents and Settings\frednusbaum\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)

    O4 - Startup: C:\Documents and Settings\gaines\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)

    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1

    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1

    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0

    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1

    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1

    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

    O7 - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

    O7 - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1

    O7 - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ClowerElectric.local

    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

    O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

    O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found

    O24 - Desktop WallPaper: C:\WINDOWS\nexlinkrev2.bmp

    O24 - Desktop BackupWallPaper: C:\WINDOWS\nexlinkrev2.bmp

    O27 - HKLM IFEO\sethc.exe: Debugger - c:\windows\system32\Microsoft\Protect\PINTLPRH.exe ()

    O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)

    O32 - HKLM CDRom: AutoRun - 1

    O32 - AutoRun File - [2007/10/02 13:37:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

    O33 - MountPoints2\{f7c5e005-0ce4-11dd-9737-00151755bf05}\Shell - "" = AutoRun

    O33 - MountPoints2\{f7c5e005-0ce4-11dd-9737-00151755bf05}\Shell\AutoRun - "" = Auto&Play

    O33 - MountPoints2\{f7c5e005-0ce4-11dd-9737-00151755bf05}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found

    O34 - HKLM BootExecute: (autocheck autochk *) - File not found

    O35 - HKLM\..comfile [open] -- "%1" %*

    O35 - HKLM\..exefile [open] -- "%1" %*

    O37 - HKLM\...com [@ = comfile] -- "%1" %*

    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found

    NetSvcs: Ias - File not found

    NetSvcs: Iprip - File not found

    NetSvcs: Irmon - File not found

    NetSvcs: NWCWorkstation - File not found

    NetSvcs: Nwsapagent - File not found

    NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)

    NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)

    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

    SystemRestore not available.

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/08/26 15:35:52 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

    [2010/08/24 16:52:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

    [2010/08/23 16:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\mbam-other

    [2010/08/20 12:46:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\TCPView

    [2010/08/18 22:31:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

    [2010/08/18 22:30:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

    [2010/08/18 22:30:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

    [2010/08/18 22:30:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

    [2010/08/18 22:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

    [2010/08/18 22:30:12 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe

    [2010/08/18 17:23:33 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe

    [2010/08/18 14:15:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro

    [2010/08/18 14:15:16 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5

    [2010/08/18 12:56:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

    [2010/07/10 07:50:37 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy

    [2010/06/22 08:48:17 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll

    [2010/06/02 07:26:17 | 000,000,000 | -H-D | C] -- C:\$AVG

    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 90 Days ==========

    [2010/08/26 15:39:00 | 000,000,662 | ---- | M] () -- C:\WINDOWS\tasks\Update Services synchronization task.job

    [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

    [2010/08/26 15:35:42 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys

    [2010/08/26 15:23:38 | 000,029,520 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa

    [2010/08/26 14:54:53 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Collect Server Performance Data.job

    [2010/08/26 14:54:01 | 000,000,628 | ---- | M] () -- C:\WINDOWS\tasks\Update Services auto approval task.job

    [2010/08/26 12:17:19 | 002,621,440 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

    [2010/08/26 12:17:19 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

    [2010/08/26 12:15:26 | 000,004,542 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf

    [2010/08/26 12:12:59 | 000,000,435 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics

    [2010/08/26 12:12:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

    [2010/08/26 12:11:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

    [2010/08/26 12:08:27 | 003,761,508 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

    [2010/08/26 12:00:05 | 000,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{c2f76b41-06fe-11dd-ad35-806e6f6e6963}.job

    [2010/08/26 08:54:00 | 000,000,820 | ---- | M] () -- C:\WINDOWS\tasks\Update Services configuration task.job

    [2010/08/26 06:14:17 | 063,903,826 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

    [2010/08/26 04:54:10 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Collect Usage Data.job

    [2010/08/24 16:52:06 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk

    [2010/08/23 17:31:33 | 430,403,584 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP

    [2010/08/23 16:57:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable

    [2010/08/23 07:31:15 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

    [2010/08/18 22:30:50 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

    [2010/08/18 22:30:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe

    [2010/08/18 17:23:33 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe

    [2010/08/18 14:15:18 | 000,001,684 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

    [2010/08/16 14:42:47 | 001,406,224 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

    [2010/08/16 14:42:47 | 001,067,636 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

    [2010/08/16 14:42:47 | 000,303,638 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

    [2010/08/16 12:44:15 | 000,103,032 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

    [2010/08/16 11:59:29 | 000,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK

    [2010/07/28 10:52:17 | 000,030,208 | ---- | M] () -- \\CLOWER-08\Users\administrator\My Documents\Barnabas Ministry - Morrison.doc

    [2010/06/22 08:48:17 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll

    [2010/06/22 08:48:12 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys

    [2010/06/16 08:36:53 | 000,025,088 | ---- | M] () -- \\CLOWER-08\Users\administrator\My Documents\Life with my Wife.doc

    [2010/06/01 08:02:37 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys

    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/08/24 16:52:06 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk

    [2010/08/23 16:57:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable

    [2010/08/18 22:30:50 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

    [2010/08/18 14:15:31 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys

    [2010/08/18 14:15:18 | 000,001,684 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

    [2010/07/28 10:52:13 | 000,030,208 | ---- | C] () -- \\CLOWER-08\Users\administrator\My Documents\Barnabas Ministry - Morrison.doc

    [2010/07/10 07:50:30 | 000,041,732 | ---- | C] () -- C:\WINDOWS\System32\c.msc

    [2010/07/10 07:50:30 | 000,034,885 | ---- | C] () -- C:\WINDOWS\System32\t.msc

    [2009/11/10 15:48:49 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    [2009/10/16 03:32:19 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

    [2008/07/25 12:10:12 | 000,020,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\TouchSta.SYS

    [2008/06/12 16:06:09 | 000,000,162 | -H-- | C] () -- C:\Program Files\Common Files\client.lcs

    [2008/05/06 10:32:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

    [2008/04/26 08:53:57 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat

    [2008/04/25 23:57:33 | 000,011,597 | ---- | C] () -- C:\WINDOWS\System32\dnsperf.ini

    [2008/04/23 06:51:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI

    [2008/04/17 17:42:16 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat

    [2008/04/17 17:26:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

    [2008/04/17 17:19:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini

    [2008/04/17 17:18:45 | 000,017,579 | ---- | C] () -- C:\WINDOWS\System32\nntpctrs.ini

    [2008/04/17 17:11:42 | 000,002,360 | ---- | C] () -- C:\WINDOWS\System32\dhcpctrs.ini

    [2007/10/02 15:11:30 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

    [2007/10/02 13:34:05 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini

    [2007/10/02 13:34:05 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini

    [2007/10/02 13:34:02 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini

    [2007/10/02 13:34:01 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini

    [2007/10/02 13:34:01 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini

    [2007/10/02 13:25:49 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini

    [2007/10/02 13:25:46 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini

    [2007/10/02 13:25:46 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini

    [2007/10/02 13:25:46 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini

    [2007/10/02 13:25:41 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini

    [2007/10/02 13:25:40 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini

    [2005/08/26 15:36:48 | 000,880,640 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

    [2005/08/26 15:36:48 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll

    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2010/04/07 16:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Tific

    [2010/08/19 16:31:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9

    [2010/08/18 17:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro

    [2010/06/01 08:01:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gaines\Application Data\AVG9

    [2010/04/22 16:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gaines\Application Data\Tific

    [2010/08/26 15:45:00 | 000,000,496 | ---- | M] () -- C:\WINDOWS\Tasks\Collect Server Performance Data.job

    [2010/08/26 04:54:10 | 000,000,470 | ---- | M] () -- C:\WINDOWS\Tasks\Collect Usage Data.job

    [2010/04/07 13:44:46 | 000,000,234 | ---- | M] () -- C:\WINDOWS\Tasks\rb-Default.job

    [2009/08/03 16:19:15 | 000,000,232 | ---- | M] () -- C:\WINDOWS\Tasks\rb-Weekly.job

    [2010/08/26 13:09:00 | 000,032,526 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

    [2010/08/26 12:00:05 | 000,000,764 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{c2f76b41-06fe-11dd-ad35-806e6f6e6963}.job

    [2010/08/26 14:54:01 | 000,000,628 | ---- | M] () -- C:\WINDOWS\Tasks\Update Services auto approval task.job

    [2010/08/26 08:54:00 | 000,000,820 | ---- | M] () -- C:\WINDOWS\Tasks\Update Services configuration task.job

    [2010/08/26 15:44:00 | 000,000,662 | ---- | M] () -- C:\WINDOWS\Tasks\Update Services synchronization task.job

    ========== Purity Check ==========

    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >

    [2007/10/02 13:37:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

    [2009/08/13 08:26:56 | 000,000,223 | RHS- | M] () -- C:\boot.ini

    [2007/10/02 13:37:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

    [2007/10/02 13:37:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

    [2007/10/02 13:37:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

    [2007/04/23 11:53:45 | 000,047,772 | RHS- | M] () -- C:\NTDETECT.COM

    [2007/04/23 11:53:45 | 000,297,072 | RHS- | M] () -- C:\ntldr

    [2009/08/02 10:04:58 | 000,262,144 | ---- | M] () -- C:\ntuser.dat

    [2009/08/02 10:04:58 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG

    [2010/08/26 12:11:56 | 4288,438,272 | -HS- | M] () -- C:\pagefile.sys

    [2010/08/26 15:34:43 | 000,081,318 | ---- | M] () -- C:\popuplog.log

    < %systemroot%\Fonts\*.com >

    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont

    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont

    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >

    [2007/10/02 13:37:16 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

    [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    [2007/04/23 11:53:45 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\sfmpsprt.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    [2007/10/02 06:28:53 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

    [2007/10/02 06:28:53 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

    [2007/10/02 06:28:53 | 000,495,616 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    [2007/10/02 13:37:56 | 000,000,214 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    [2007/10/02 06:32:37 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Sti_Trace.log

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

    [2008/04/10 14:33:06 | 000,000,117 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    [2007/10/02 13:42:16 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >

    [2008/06/12 16:04:42 | 025,650,405 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gaines-setup-setup.exe

    [2010/03/12 11:03:00 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    [2010/03/12 11:02:00 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThisInstaller.exe

    [2010/08/18 22:30:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe

    [2008/04/08 11:12:18 | 000,181,763 | ---- | M] (UltraVnc) -- C:\Documents and Settings\Administrator\Desktop\NEISupport.exe

    [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    [2008/06/12 16:06:09 | 000,000,162 | -H-- | M] () -- C:\Program Files\Common Files\client.lcs

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    [2007/04/23 11:53:45 | 000,001,542 | ---- | M] () -- C:\WINDOWS\AppPatch\Custom\{425516c2-f76f-4a49-b8eb-83fc24f40599}.sdb

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5 >

    < %PROGRAMFILES%\Internet Explorer\iexplore.exe /md5 >

    [2007/04/23 11:53:45 | 000,094,208 | ---- | M] (Microsoft Corporation) MD5=E3ECE6202C2C667C45D06DBB4DEBD8E9 -- C:\Program Files\Internet Explorer\IEXPLORE.EXE

    < %systemroot%\ADDINS\*.* >

    [2007/04/23 11:53:45 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    "NoAutoUpdate" = 0

    "AUOptions" = 3

    "RescheduleWaitTimeEnabled" = 1

    "RescheduleWaitTime" = 1

    "RebootWarningTimeoutEnabled" = 1

    "RebootWarningTimeout" = 5

    "RebootRelaunchTimeoutEnabled" = 1

    "RebootRelaunchTimeout" = 10

    "DetectionFrequencyEnabled" = 1

    "DetectionFrequency" = 1

    "AutoInstallMinorUpdates" = 1

    "UseWUServer" = 1

    "NoAutoRebootWithLoggedOnUsers" = 0

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-04-15 08:13:27

    < ipconfig /all >

    Invalid Switch: all

    < nslookup google.com >

    < nslookup yahoo.com >

    < ping -n 2 google.com >

    < ping -n 2 yahoo.com >

    < route print >

    < End of report >

    Second log Extra's as follows:

    OTL Extras logfile created on: 8/26/2010 3:37:26 PM - Run 1

    OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Administrator\Desktop

    Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController

    Internet Explorer (Version = 6.0.3790.3959)

    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 45.00% Memory free

    8.00 Gb Paging File | 5.00 Gb Available in Paging File | 66.00% Paging File free

    Paging file location(s): c:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

    Drive C: | 19.99 Gb Total Space | 7.22 Gb Free Space | 36.15% Space Free | Partition Type: NTFS

    Drive D: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS

    Drive E: | 48.00 Gb Total Space | 14.33 Gb Free Space | 29.86% Space Free | Partition Type: NTFS

    F: Drive not present or media not loaded

    G: Drive not present or media not loaded

    H: Drive not present or media not loaded

    I: Drive not present or media not loaded

    Drive R: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS

    Drive V: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS

    Computer Name: CLOWER-08

    Current User Name: administrator

    Logged in as Administrator.

    Current Boot Mode: Normal

    Scan Mode: All users

    Company Name Whitelist: On

    Skip Microsoft Files: On

    File Age = 90 Days

    Output = Standard

    Quick Scan

    ========== Extra Registry (SafeList) ==========

    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

    batfile [open] -- "%1" %*

    cmdfile [open] -- "%1" %*

    comfile [open] -- "%1" %*

    exefile [open] -- "%1" %*

    htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

    htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

    piffile [open] -- "%1" %*

    regfile [merge] -- Reg Error: Key error.

    scrfile [config] -- "%1"

    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

    scrfile [open] -- "%1" /S

    txtfile [edit] -- Reg Error: Key error.

    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    "AntiVirusOverride" = 0

    "FirewallOverride" = 0

    "UpdatesDisableNotify" = 0

    "AntiVirusDisableNotify" = 0

    "FirewallDisableNotify" = 0

    "UacDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

    "C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe" = C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe:*:Enabled:popup -- ( )

    "C:\Program Files\RAID Web Console 2\JRE\bin\javaw.exe" = C:\Program Files\RAID Web Console 2\JRE\bin\javaw.exe:*:Enabled:javaw -- ()

    "C:\Program Files\Common Files\IMPMIG.EXE" = C:\Program Files\Common Files\IMPMIG.EXE:*:Enabled:IMPMIG -- File not found

    "C:\Program Files\Common Files\AcroIEHelper.exe" = C:\Program Files\Common Files\AcroIEHelper.exe:*:Enabled:AcroIEHelper -- File not found

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

    "{05DEE64C-B63B-495A-B36C-4277663FAAA0}" = Windows Small Business Server ActiveSync

    "{108BE742-0564-4734-AE54-74F81263FB04}" = Windows Small Business Server Licensing

    "{2C0D7E35-EE6E-4DC7-BA13-2C68AEDEB59D}" = Windows Server Update Services 3.0 SP2

    "{396B1960-EB6D-48F5-AA7B-377921A1A33D}" = RAID Web Console 2 v1.13-02

    "{3CE06D54-72B1-44B2-AB60-E4277EC80EF4}" = Microsoft XML Parser

    "{3CF8BDBC-DA0F-45FA-A4B9-3A31CCE774E9}" = Windows Small Business Server Backup

    "{53BE2241-531B-49FB-B03D-06C377179548}" = Windows Small Business Server IE Client App

    "{5546F70C-0437-44EE-A923-7C23E6EFF689}" = Windows Small Business Server Monitoring

    "{65657C59-23A8-4974-B8E0-BA04EBD04E4F}" = Microsoft SQL Server Desktop Engine (SHAREPOINT)

    "{671E4E4D-4798-4F66-9C9E-C5762E73179E}" = Microsoft XML Parser

    "{7FB55E52-C72D-4165-85D0-383ED3D7253F}" = Windows Small Business Server Client Setup

    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

    "{8952E993-139E-4E71-881F-DD40E4DB8F81}" = Windows Small Business Server Admin

    "{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003

    "{91140409-7000-11D3-8CFE-0150048383C9}" = Microsoft Windows SharePoint Services 2.0

    "{91710409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting

    "{9189BADC-23A7-487D-B206-AD3A89A4F45D}" = Windows Small Business Server Fax

    "{91B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting

    "{977605C6-4F60-426A-AC11-D27404B3866C}" = Default

    "{A2B40ABC-025A-4389-8148-86CED357B259}" = Microsoft Connector for POP3 Mailboxes

    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

    "{A34AC564-B4A3-4D45-B969-403BC39F0E6A}" = Microsoft .NET Framework 1.1 -- Device Update 4.0

    "{A5E98C65-585A-45AB-BFC3-8555305B9929}" = Windows Small Business Server Documents

    "{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8

    "{B58E39B9-12E2-4E9B-A01B-9B896C6A52A8}" = Windows Small Business Server Connectivity

    "{B7300824-E68F-45F1-BAC1-5F15636C346F}" = Microsoft SQL Server Desktop Engine (SBSMonitoring)

    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

    "{C293E1D0-8085-4830-B806-1BA0FEF9C4A4}" = Windows Small Business Server Client Experience

    "{C73E81BF-432C-44E2-831D-F46081CA6E28}" = Windows Small Business Server Remote Portal

    "{CA3553E0-191B-4E2F-AD3C-82E33CB9D4E4}" = Microsoft Group Policy Management Console with SP1

    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

    "{CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB}" = Windows Internal Database (MICROSOFT##SSEE)

    "{CF2BCF99-1A5A-4F0A-923E-29B2E029E66C}" = DigitalPersona Gold Fingerprint Recognition Software 3.2.0

    "{D846DDEE-EDF2-445F-96A4-175544202D32}" = Windows Small Business Server Fax Cfg

    "{E0AF53C1-C734-4D68-898E-B506CA921141}" = Windows Small Business Server Update Services

    "{E721BEC1-887A-4D26-BE10-7E0336B7CAC7}" = Windows Small Business Server Common

    "{F0674B40-D8C3-11D3-8C61-00104B1F6CF0}" = Remote Backup 2007

    "18BB9B0552BA675902E31409A34F929D9C9AD56C" = Windows Driver Package - Intel (e1express) Net (04/03/2006 9.3.39.0)

    "2186E77AD6E7C7071CED9BFA90127C3C088F9CAB" = Windows Driver Package - ESG-SHV System (09/19/2006 5.00.6262.1)

    "5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA" = Windows Small Business Server 2003

    "60E32FC9593A7CBEACF68913FA836F324BF623F1" = Windows Driver Package - Intel System (01/19/2006 1.2.43.0)

    "80087CDF19A4CE2FBB535E7DC99A0E50FFA25589" = Windows Driver Package - Intel (E1000) Net (01/06/2006 8.6.17.0)

    "ActiveTouchMeetingClient" = WebEx

    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

    "AF2644056DAD431E530AF5FE0505FFD67426CA81" = Windows Driver Package - ESG-SHV System (02/24/2006 5.00.6055.2)

    "ATI Display Driver" = ATI Display Driver

    "AVG9Uninstall" = AVG 9.0

    "HijackThis" = HijackThis 2.0.2

    "HitmanPro35" = Hitman Pro 3.5

    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

    "Microsoft Health Monitor 2.1" = Microsoft Health Monitor 2.1

    "PROSet" = Intel® PRO Network Connections Drivers

    "Small Business Server 2003 R2" = Windows Small Business Server 2003 R2

    "WIC" = Windows Imaging Component

    "Windows Internal Database" = Windows Internal Database

    "Windows Server Update Services 3.0 SP2" = Windows Server Update Services 3.0 SP2

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]

    Error - 8/26/2010 4:44:15 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174

    Description = A non-delivery report with a status code of 4.7.1 was generated for

    recipient rfc822;astelcolls@selco2000.com (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>).

    Error - 8/26/2010 4:44:19 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174

    Description = A non-delivery report with a status code of 4.7.1 was generated for

    recipient rfc822;asteele.student@mountsaintvincent.edu (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>).

    Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162

    Description = A non-delivery report with a status code of 5.4.0 was generated for

    recipient rfc822;astephenson@sfg1.net (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>).

    Causes: This message indicates a DNS problem or an IP address configuration problem

    Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4

    literal format. For more information, click http://www.microsoft.com/contentredirect.asp.

    Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162

    Description = A non-delivery report with a status code of 5.4.0 was generated for

    recipient rfc822;aster.9341.5066832@candygoat.com (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>).

    Causes: This message indicates a DNS problem or an IP address configuration problem

    Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4

    literal format. For more information, click http://www.microsoft.com/contentredirect.asp.

    Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162

    Description = A non-delivery report with a status code of 5.4.0 was generated for

    recipient rfc822;aster.9838.3206873@candygoat.com (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>).

    Causes: This message indicates a DNS problem or an IP address configuration problem

    Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4

    literal format. For more information, click http://www.microsoft.com/contentredirect.asp.

    Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162

    Description = A non-delivery report with a status code of 5.4.0 was generated for

    recipient rfc822;hostmaster@candygoat.com (Message-ID <CLOWER-08Xa69FuM2F000005965@clowerelectric.com>).

    Causes: This message indicates a DNS problem or an IP address configuration problem

    Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4

    literal format. For more information, click http://www.microsoft.com/contentredirect.asp.

    Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162

    Description = A non-delivery report with a status code of 5.4.0 was generated for

    recipient rfc822;10005.959808@candygoat.com (Message-ID <CLOWER-08DjoYAPNXRP0000173a@clowerelectric.com>).

    Causes: This message indicates a DNS problem or an IP address configuration problem

    Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4

    literal format. For more information, click http://www.microsoft.com/contentredirect.asp.

    Error - 8/26/2010 4:44:41 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174

    Description = A non-delivery report with a status code of 4.7.1 was generated for

    recipient rfc822;jetpilot@execpc.com (Message-ID <CLOWER-086PmiZWHHmT000056c8@clowerelectric.com>).

    Error - 8/26/2010 4:44:55 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174

    Description = A non-delivery report with a status code of 4.7.1 was generated for

    recipient rfc822;adpenner@iastate.edu (Message-ID <CLOWER-080Qp9jBQIjo000026e1@clowerelectric.com>).

    Error - 8/26/2010 4:46:36 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162

    Description = A non-delivery report with a status code of 5.4.0 was generated for

    recipient rfc822;gnto7m@sbprss.com (Message-ID <CLOWER-0819qW2CoKkH00005379@clowerelectric.com>).

    Causes: This message indicates a DNS problem or an IP address configuration problem

    Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4

    literal format. For more information, click http://www.microsoft.com/contentredirect.asp.

    [ DNS Server Events ]

    Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4015

    Description = The DNS server has encountered a critical error from the Active Directory.

    Check

    that the Active Directory is functioning properly. The extended error debug information

    (which may be empty) is "". The event data contains the error.

    Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone .. This DNS server is configured to use information obtained from Active

    Directory

    for this zone and is unable to load the zone without it. Check that the Active

    Directory is functioning properly and repeat enumeration of the zone. The extended

    error debug information (which may be empty) is "". The event data contains the

    error.

    Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone _msdcs.ClowerElectric.local. This DNS server is configured to use information

    obtained from Active Directory for this zone and is unable to load the zone without

    it. Check that the Active Directory is functioning properly and repeat enumeration

    of

    the zone. The extended error debug information (which may be empty) is "". The event

    data contains the error.

    Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information

    obtained from Active Directory for this zone and is unable to load the zone without

    it. Check that the Active Directory is functioning properly and repeat enumeration

    of

    the zone. The extended error debug information (which may be empty) is "". The event

    data contains the error.

    Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone ClowerElectric.local. This DNS server is configured to use information

    obtained from Active Directory for this zone and is unable to load the zone without

    it. Check that the Active Directory is functioning properly and repeat enumeration

    of

    the zone. The extended error debug information (which may be empty) is "". The event

    data contains the error.

    Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4015

    Description = The DNS server has encountered a critical error from the Active Directory.

    Check

    that the Active Directory is functioning properly. The extended error debug information

    (which may be empty) is "". The event data contains the error.

    Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone .. This DNS server is configured to use information obtained from Active

    Directory

    for this zone and is unable to load the zone without it. Check that the Active

    Directory is functioning properly and repeat enumeration of the zone. The extended

    error debug information (which may be empty) is "". The event data contains the

    error.

    Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone _msdcs.ClowerElectric.local. This DNS server is configured to use information

    obtained from Active Directory for this zone and is unable to load the zone without

    it. Check that the Active Directory is functioning properly and repeat enumeration

    of

    the zone. The extended error debug information (which may be empty) is "". The event

    data contains the error.

    Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information

    obtained from Active Directory for this zone and is unable to load the zone without

    it. Check that the Active Directory is functioning properly and repeat enumeration

    of

    the zone. The extended error debug information (which may be empty) is "". The event

    data contains the error.

    Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004

    Description = The DNS server was unable to complete directory service enumeration

    of zone ClowerElectric.local. This DNS server is configured to use information

    obtained from Active Directory for this zone and is unable to load the zone without

    it. Check that the Active Directory is functioning properly and repeat enumeration

    of

    the zone. The extended error debug information (which may be empty) is "". The event

    data contains the error.

    [ File Replication Service Events ]

    Error - 8/20/2010 4:23:15 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/21/2010 7:31:18 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/21/2010 10:38:17 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/23/2010 8:31:48 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/23/2010 4:15:16 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/23/2010 6:33:10 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/24/2010 8:48:25 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/24/2010 11:54:33 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/24/2010 6:22:30 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    Error - 8/25/2010 10:20:58 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568

    Description =

    [ System Events ]

    Error - 8/26/2010 11:56:49 AM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003

    Description = The master browser has received a server announcement from the computer

    BILL2009 that believes that it is the master browser for the domain on transport

    NetBT_Tcpip_{08FA3B5C-0069-45A2-. The master browser is stopping or an election

    is being forced.

    Error - 8/26/2010 12:56:54 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003

    Description = The master browser has received a server announcement from the computer

    BILL2009 that believes that it is the master browser for the domain on transport

    NetBT_Tcpip_{08FA3B5C-0069-45A2-. The master browser is stopping or an election

    is being forced.

    Error - 8/26/2010 1:13:11 PM | Computer Name = CLOWER-08 | Source = ipnathlp | ID = 39484681

    Description = The Windows Firewall/Internet Connection Sharing (ICS) service could

    not start because another program or service is running that might use the network

    address translation component (Ipnat.sys). This can occur when Routing and Remote

    Access is enabled. If this is the case, you must disable Routing and Remote Access

    before the Windows Firewall/Internet Connection Sharing (ICS) service can start.

    Error - 8/26/2010 1:13:21 PM | Computer Name = CLOWER-08 | Source = Service Control Manager | ID = 7009

    Description = Timeout (30000 milliseconds) waiting for the Intel PDS service to

    connect.

    Error - 8/26/2010 1:13:21 PM | Computer Name = CLOWER-08 | Source = Service Control Manager | ID = 7023

    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated

    with the following error: %%170

    Error - 8/26/2010 1:22:45 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003

    Description = The master browser has received a server announcement from the computer

    YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport

    NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being

    forced.

    Error - 8/26/2010 2:22:51 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003

    Description = The master browser has received a server announcement from the computer

    YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport

    NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being

    forced.

    Error - 8/26/2010 3:22:59 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003

    Description = The master browser has received a server announcement from the computer

    YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport

    NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being

    forced.

    Error - 8/26/2010 4:23:01 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003

    Description = The master browser has received a server announcement from the computer

    YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport

    NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being

    forced.

    Error - 8/26/2010 4:34:43 PM | Computer Name = CLOWER-08 | Source = TermServDevices | ID = 1111

    Description = Driver HP Photosmart C4600 series required for printer !!JO-PC!HP

    Photosmart C4600 series is unknown. Contact the administrator to install the driver

    before you log in again.

    < End of report >

    Hope this helps.

    Fred

    I am sending out lots of Spam

    in Resolved Malware Removal Logs

    Posted

    After running Malwarebytes I got the following log:

    Malwarebytes' Anti-Malware 1.46

    www.malwarebytes.org

    Database version: 4451

    Windows 5.2.3790 Service Pack 2

    Internet Explorer 6.0.3790.3959

    8/23/2010 6:12:48 AM

    mbam-log-2010-08-23 (06-12-48).txt

    Scan type: Quick scan

    Objects scanned: 183235

    Time elapsed: 5 minute(s), 15 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 2

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    After reboot and rerunning Malware I get the same results.

    I did the following:

    I ran defogger and log is attached.

    I ran dds.scr but it failed said it was not compatible with my OS (Small business server 2003)

    I ran GMER and the log is attached.

    Any help would be great.

    attach.zip

    Malware not cleaning registery Keys

    in Malwarebytes for Windows Support Forum

    Posted

    After running Malwarebytes I got the following log:

    Malwarebytes' Anti-Malware 1.46

    www.malwarebytes.org

    Database version: 4451

    Windows 5.2.3790 Service Pack 2

    Internet Explorer 6.0.3790.3959

    8/23/2010 6:12:48 AM

    mbam-log-2010-08-23 (06-12-48).txt

    Scan type: Quick scan

    Objects scanned: 183235

    Time elapsed: 5 minute(s), 15 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 2

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    After reboot and rerunning Malware I get the same results.

    Any suggestions?

    Thanks

    Fred

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.