Jump to content

Malwarebytes blocking malicious IP attempts - rootkit suspected


Recommended Posts

I have a Windows 2003 server that appears to be infected with a rootkit that others have had. So far no scanners have been able to detect the infection. Malwarebytes will just block the malicious connection attempts and below is a part of the log. Let me know which logs to provide.

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:54 (null) IP-BLOCK 125.45.109.166

09:45:55 (null) IP-BLOCK 125.45.109.166

09:45:55 (null) IP-BLOCK 125.45.109.166

09:45:55 (null) IP-BLOCK 125.45.109.166

09:45:55 (null) IP-BLOCK 125.45.109.166

11:43:58 (null) IP-BLOCK 221.192.199.35

11:44:03 (null) IP-BLOCK 221.192.199.35

15:47:01 (null) IP-BLOCK 222.186.27.80

16:00:37 (null) IP-BLOCK 221.192.199.35

16:00:43 (null) IP-BLOCK 221.192.199.35

17:28:34 (null) IP-BLOCK 221.192.199.35

17:59:41 (null) IP-BLOCK 222.186.24.11

18:30:07 (null) IP-BLOCK 222.186.27.80

18:55:21 (null) IP-BLOCK 221.192.199.35

19:35:57 (null) IP-BLOCK 122.227.135.205

21:43:36 (null) IP-BLOCK 221.192.199.35

21:43:43 (null) IP-BLOCK 221.192.199.35

Link to post
Share on other sites

Hi,

Are experiencing any malware symptoms, except from the IP blocks?

Why are you using a server version of Windows?

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Under the Custom Scan box paste this in
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %USERPROFILE%\Templates\*.*
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    ipconfig /all /c
    nslookup google.com /c
    nslookup yahoo.com /c
    ping google.com /c
    ping yahoo.com /c
    route print /c
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

It's a Terminal Server hosting a few applications (OSI & EZNews) for users. I removed the one NICs IP and routes from this post since this is public.

OTL.TXT

---------------------

OTL logfile created on: 9/4/2010 2:33:54 PM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\administrator.EBI\Desktop

Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

24.00 Gb Total Physical Memory | 23.00 Gb Available Physical Memory | 96.00% Memory free

26.00 Gb Paging File | 25.00 Gb Available in Paging File | 97.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.08 Gb Total Space | 289.10 Gb Free Space | 96.99% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive Z: | 272.89 Gb Total Space | 272.29 Gb Free Space | 99.78% Space Free | Partition Type: NTFS

Computer Name: EBI-TERMSERV1

Current User Name: administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/04 14:22:51 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.EBI\Desktop\OTL.exe

PRC - [2009/11/13 00:24:11 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe

PRC - [2009/11/13 00:24:11 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

PRC - [2009/11/13 00:24:10 | 000,832,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgam.exe

PRC - [2009/11/13 00:24:10 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

PRC - [2007/02/17 05:55:16 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe

PRC - [2007/02/17 05:31:48 | 000,509,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logon.scr

PRC - [2007/02/17 04:58:36 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/09/04 14:22:51 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.EBI\Desktop\OTL.exe

MOD - [2007/02/17 06:09:16 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll

MOD - [2007/02/17 05:36:32 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

MOD - [2007/02/17 01:04:16 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WinHttpAutoProxySvc)

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2009/11/13 00:24:10 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

SRV - [2007/02/18 02:30:26 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)

SRV - [2007/02/17 06:07:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)

SRV - [2007/02/17 05:55:56 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)

SRV - [2007/02/17 05:41:50 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)

SRV - [2007/02/17 05:20:52 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)

SRV - [2007/02/17 04:50:02 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)

SRV - [2005/11/30 07:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)

SRV - [2005/11/30 07:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)

SRV - [2005/11/23 07:00:00 | 001,591,296 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srmsvc.dll -- (SrmSvc)

SRV - [2005/11/23 07:00:00 | 000,010,752 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\srmhost.exe -- (SrmReports)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2009/11/13 00:24:17 | 000,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)

DRV - [2009/11/13 00:24:16 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)

DRV - [2009/11/13 00:24:13 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)

DRV - [2009/11/13 00:24:13 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)

DRV - [2008/12/29 18:15:08 | 000,036,864 | ---- | M] (ASPEED Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\astgrp.sys -- (ASTGraphics)

DRV - [2008/09/05 00:53:02 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)

DRV - [2008/08/04 23:28:10 | 000,144,992 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1q5132.sys -- (e1qexpress) Intel®

DRV - [2007/02/17 06:09:26 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)

DRV - [2007/02/17 04:49:38 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)

DRV - [2007/02/17 04:31:14 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ClusDisk.sys -- (ClusDisk)

DRV - [2005/11/23 07:00:00 | 000,088,064 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\quota.sys -- (Quota)

DRV - [2005/11/23 07:00:00 | 000,048,640 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\datascrn.sys -- (Datascrn)

DRV - [2005/07/08 17:56:32 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 92 38 4F 78 66 4C CB 01 [binary data]

IE - HKU\S-1-5-21-1594520125-2729216468-843281367-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2005/11/30 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [userFaultCheck] File not found

O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\innlaptop\Start Menu\Programs\Startup\EZNews.lnk = Z:\EZNews\bin\EZNews.exe (Automated Data Systems of Wisconsin Inc.)

O4 - Startup: C:\Documents and Settings\wncflisa\Start Menu\Programs\Startup\EZNews.lnk = Z:\EZNews\bin\EZNews.exe (Automated Data Systems of Wisconsin Inc.)

O4 - Startup: C:\Documents and Settings\wncflois\Start Menu\Programs\Startup\EZNews.lnk = Z:\EZNews\bin\EZNews.exe (Automated Data Systems of Wisconsin Inc.)

O4 - Startup: C:\Documents and Settings\wncfmorgan\Start Menu\Programs\Startup\EZNews.lnk = Z:\EZNews\bin\EZNews.exe (Automated Data Systems of Wisconsin Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Intellimenus = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoTrayNotify = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyGames = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyMusic = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuSubFolders = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserFolderInStartMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: QuickLaunchEnabled = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoAddRemoveToolbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoRedock = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoResize = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 0

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentProgForNewUserInStartMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCANetwork = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 67108863

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 1 = \\Inn-nts-01\newsroom\EZNews\bin\EZNews.exe

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 2

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1475\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Intellimenus = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoTrayNotify = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyGames = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyMusic = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuSubFolders = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserFolderInStartMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: QuickLaunchEnabled = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoAddRemoveToolbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoRedock = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoResize = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 0

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentProgForNewUserInStartMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCANetwork = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 4

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 1 = C:\ositraffic\OsiTraffic32.exe (Optimal Solutions, Inc.)

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 2

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1537\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Intellimenus = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoTrayNotify = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyGames = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyMusic = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuSubFolders = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserFolderInStartMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: QuickLaunchEnabled = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoAddRemoveToolbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoRedock = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: TaskbarNoResize = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 0

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentProgForNewUserInStartMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCANetwork = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 67108863

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 1 = \\Inn-nts-01\newsroom\EZNews\bin\EZNews.exe

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 2

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-1572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1

O7 - HKU\S-1-5-21-1594520125-2729216468-843281367-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1249691244953 (WUWebControl Class)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ebi.local

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O20 - Winlogon\Notify\sd4notify: DllName - sd4notify.dll - C:\WINDOWS\System32\sd4notify.dll (triCerat, Inc.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/08/07 05:20:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)

NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

NetSvcs: dvvnwis - C:\WINDOWS\System32\qooahsu.dll File not found

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

SystemRestore not available.

========== Files/Folders - Created Within 90 Days ==========

[2010/09/04 14:22:43 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\administrator.EBI\Desktop\OTL.exe

[2010/08/24 09:01:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro

[2010/08/24 09:01:15 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5

[2010/06/14 11:41:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/06/14 11:41:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/06/14 11:41:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/06/09 20:35:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.EBI\Application Data\WinRAR

[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/04 14:33:38 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{29E1A272-AF1E-48C5-ABE1-7705BD94E559}.job

[2010/09/04 14:22:51 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.EBI\Desktop\OTL.exe

[2010/09/04 09:18:31 | 064,281,946 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/09/03 16:10:30 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\administrator.EBI\NTUSER.DAT

[2010/09/03 15:54:56 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys

[2010/08/25 15:50:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\administrator.EBI\ntuser.ini

[2010/08/25 15:50:28 | 002,224,876 | -H-- | M] () -- C:\Documents and Settings\administrator.EBI\Local Settings\Application Data\IconCache.db

[2010/08/24 09:07:26 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\administrator.EBI\Local Settings\Application Data\housecall.guid.cache

[2010/08/24 09:01:52 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

[2010/07/23 16:46:31 | 000,000,578 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2010/06/14 11:41:04 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/09 20:45:02 | 000,510,840 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/06/09 20:45:02 | 000,435,664 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/06/09 20:45:02 | 000,066,670 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/06/09 20:42:26 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/09 20:42:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/09 20:42:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/24 09:07:26 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\administrator.EBI\Local Settings\Application Data\housecall.guid.cache

[2010/08/24 09:02:33 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys

[2010/08/24 09:01:19 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

[2010/07/06 09:53:50 | 000,000,538 | ---- | C] () -- C:\Documents and Settings\administrator.EBI\Desktop\EZNews.lnk

[2010/06/14 11:41:04 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/12/07 13:10:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI

[2009/08/13 17:30:29 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll

[2009/08/07 17:26:13 | 000,019,604 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2009/08/07 17:26:13 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2009/08/07 16:26:42 | 000,019,855 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini

[2009/08/07 09:40:45 | 000,000,578 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/08/06 23:16:37 | 000,001,311 | ---- | C] () -- C:\WINDOWS\System32\dfsmgmt.dll.config

[2007/02/18 02:34:38 | 000,179,440 | ---- | C] () -- C:\WINDOWS\System32\schema.ini

[2005/11/30 07:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini

[2005/11/30 07:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini

[2005/11/30 07:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini

[2005/11/30 07:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini

[2005/11/30 07:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini

[2002/02/27 09:41:28 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll

[2002/02/27 09:41:26 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll

[2002/02/27 09:41:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll

========== LOP Check ==========

[2010/08/24 09:01:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro

[2010/09/04 12:03:00 | 000,032,638 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

[2010/09/04 14:33:38 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{29E1A272-AF1E-48C5-ABE1-7705BD94E559}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2009/08/07 05:20:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2009/08/08 13:13:52 | 000,000,292 | -HS- | M] () -- C:\boot.ini

[2009/08/07 05:20:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2009/11/18 10:55:51 | 000,001,859 | ---- | M] () -- C:\EZNewsUninstall.dat

[2009/11/18 10:55:51 | 000,200,704 | ---- | M] () -- C:\EZNewsUninstall.exe

[2009/08/07 05:20:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2009/08/07 05:20:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2007/02/18 02:33:06 | 000,047,772 | RHS- | M] () -- C:\NTDETECT.COM

[2007/02/18 02:33:22 | 000,297,072 | RHS- | M] () -- C:\ntldr

[2010/06/09 20:42:10 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >

[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont

[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont

[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >

[2009/08/07 05:19:43 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

[2009/09/02 01:20:00 | 000,281,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpcpp091.dll

[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

[2007/02/17 05:59:12 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\sfmpsprt.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

[2009/08/06 23:37:05 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2009/08/06 23:37:05 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2009/08/06 23:37:04 | 000,552,960 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

[2009/08/07 05:20:14 | 000,000,214 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

[2009/08/06 23:41:51 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Sti_Trace.log

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Desktop\*.exe >

[2010/09/04 14:22:51 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.EBI\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >

[2009/08/06 21:48:21 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\administrator.EBI\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

[2009/12/21 11:39:57 | 000,000,764 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

[2010/09/04 14:33:37 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\administrator.EBI\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

[2007/02/17 06:07:22 | 000,196,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %USERPROFILE%\Templates\*.* >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< ipconfig /all /c >

Windows IP Configuration

Host Name . . . . . . . . . . . . : EBI-TermServ1

Primary Dns Suffix . . . . . . . : ebi.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : ebi.local

Ethernet adapter Outside Network:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82574L Gigabit Network Connection

Physical Address. . . . . . . . . : 00-24-8C-FC-E8-2C

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 65.125.XXX.XXX

Subnet Mask . . . . . . . . . . . : 255.255.255.192

Default Gateway . . . . . . . . . : 65.125.XXX.XXX

DNS Servers . . . . . . . . . . . : 205.171.3.65

205.171.2.65

Ethernet adapter EBI Lan:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82574L Gigabit Network Connection #2

Physical Address. . . . . . . . . : 00-24-8C-FC-E8-7C

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.0.196

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.0.236

192.168.0.237

< nslookup google.com /c >

Server: ebidc01.ebi.local

Address: 192.168.0.236

Name: GOOGLE.COM

Addresses: 209.85.225.147, 209.85.225.99, 209.85.225.103, 209.85.225.104

209.85.225.105, 209.85.225.106

< nslookup yahoo.com /c >

Server: ebidc01.ebi.local

Address: 192.168.0.236

Name: YAHOO.COM

Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70

67.195.160.76

< ping google.com /c >

Pinging GOOGLE.COM [209.85.225.147] with 32 bytes of data:

Reply from 209.85.225.147: bytes=32 time=17ms TTL=54

Reply from 209.85.225.147: bytes=32 time=17ms TTL=54

Reply from 209.85.225.147: bytes=32 time=17ms TTL=54

Reply from 209.85.225.147: bytes=32 time=17ms TTL=54

Ping statistics for 209.85.225.147:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 17ms, Average = 17ms

< ping yahoo.com /c >

Pinging YAHOO.COM [69.147.125.65] with 32 bytes of data:

Reply from 69.147.125.65: bytes=32 time=26ms TTL=54

Reply from 69.147.125.65: bytes=32 time=26ms TTL=54

Reply from 69.147.125.65: bytes=32 time=26ms TTL=54

Reply from 69.147.125.65: bytes=32 time=26ms TTL=54

Ping statistics for 69.147.125.65:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 26ms, Average = 26ms

Persistent Routes:

None

< End of report >

-----------------------

Extras.txt

-------------

OTL Extras logfile created on: 9/4/2010 2:33:54 PM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\administrator.EBI\Desktop

Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

24.00 Gb Total Physical Memory | 23.00 Gb Available Physical Memory | 96.00% Memory free

26.00 Gb Paging File | 25.00 Gb Available in Paging File | 97.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.08 Gb Total Space | 289.10 Gb Free Space | 96.99% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive Z: | 272.89 Gb Total Space | 272.29 Gb Free Space | 99.78% Space Free | Partition Type: NTFS

Computer Name: EBI-TERMSERV1

Current User Name: administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"5000:TCP" = 5000:TCP:*:Enabled:RDP

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"2790:TCP" = 2790:TCP:*:Enabled:intelliadmin

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

"5000:TCP" = 5000:TCP:*:Enabled:RDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\AVG\AVG8\avgam.exe" = C:\Program Files\AVG\AVG8\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgdiag.exe" = C:\Program Files\AVG\AVG8\avgdiag.exe:*:Enabled:avgdiag.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgdiagex.exe" = C:\Program Files\AVG\AVG8\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\ositraffic\OsiTraffic32.exe" = C:\ositraffic\OsiTraffic32.exe:*:Enabled:OsiTraffic32.exe -- (Optimal Solutions, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business

"{0868BB9D-5EA0-40AF-A1CC-A38ED4E5BC67}" = 32 Bit HP CIO Components Installer

"{1B7BBB2A-FA59-414D-B5BC-178799DC54F1}" = ASPEED Graphics WinS03_x86 v.0.88

"{25ADA6A2-6061-4E73-9E46-3A12411AC997}" = Setup1

"{555D5F00-9CEE-4FE5-8C2A-5856A4DF94F4}" = Intel® Network Connections 13.3.46.0

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{8D5F2E5D-B9EB-4231-A469-136EF9908300}" = ScrewDrivers Server v4

"{9969875F-37D2-45E5-ADD6-9511E6290559}" = .NET Framework Machine Code Access Security Policy

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E89A642C-57C4-4DF3-9CB7-0E7FCF23B100}" = .NET Framework Machine Code Access Security Policy

"Adobe AIR" = Adobe AIR

"AVG8Uninstall" = AVG 8.5

"CC67FB0A6F8767F13898B57EC1637323F4788E57" = Windows Driver Package - ASPEED (ASTGraphics) Display (09/09/2008 6.00.10.0088)

"CutePDF Writer Installation" = CutePDF Writer 2.7

"EZNews Work Station (Remove Only)" = EZNews Work Station (Remove Only)

"HitmanPro35" = Hitman Pro 3.5

"ie8" = Windows Internet Explorer 8

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"WIC" = Windows Imaging Component

"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 7/30/2010 1:24:20 PM | Computer Name = EBI-TERMSERV1 | Source = Winlogon | ID = 1218

Description = Failed to load Terminal Server Profile path. Note that the profile

path must be less than 256 characters in length. User Name: TCrouch Domain: EBI

Error - 8/12/2010 11:31:16 AM | Computer Name = EBI-TERMSERV1 | Source = Application Error | ID = 1000

Description = Faulting application EZNewsClient.exe, version 4.3.17.0, faulting

module EZAccessor.dll, version 3.3.1.0, fault address 0x0013c96d.

Error - 8/16/2010 11:38:16 AM | Computer Name = EBI-TERMSERV1 | Source = Winlogon | ID = 1218

Description = Failed to load Terminal Server Profile path. Note that the profile

path must be less than 256 characters in length. User Name: TGlaser Domain: EBI

Error - 8/20/2010 3:45:51 PM | Computer Name = EBI-TERMSERV1 | Source = Application Error | ID = 1000

Description = Faulting application , version 0.0.0.0, faulting module sd4notify.dll,

version 4.4.2.25, fault address 0x00071fe8.

Error - 8/23/2010 11:03:15 AM | Computer Name = EBI-TERMSERV1 | Source = Winlogon | ID = 1218

Description = Failed to load Terminal Server Profile path. Note that the profile

path must be less than 256 characters in length. User Name: wncflisa Domain: EBI

Error - 8/25/2010 12:47:51 PM | Computer Name = EBI-TERMSERV1 | Source = Winlogon | ID = 1218

Description = Failed to load Terminal Server Profile path. Note that the profile

path must be less than 256 characters in length. User Name: JGoldstein Domain: EBI

Error - 8/25/2010 5:10:42 PM | Computer Name = EBI-TERMSERV1 | Source = Winlogon | ID = 1218

Description = Failed to load Terminal Server Profile path. Note that the profile

path must be less than 256 characters in length. User Name: MJaspan Domain: EBI

Error - 9/1/2010 8:03:50 PM | Computer Name = EBI-TERMSERV1 | Source = Application Error | ID = 1000

Description = Faulting application EZNewsClient.exe, version 4.3.17.0, faulting

module EZAccessor.dll, version 3.3.1.0, fault address 0x0013c96d.

Error - 9/3/2010 9:39:12 AM | Computer Name = EBI-TERMSERV1 | Source = Winlogon | ID = 1218

Description = Failed to load Terminal Server Profile path. Note that the profile

path must be less than 256 characters in length. User Name: JGoldstein Domain: EBI

Error - 9/3/2010 5:04:25 PM | Computer Name = EBI-TERMSERV1 | Source = Application Error | ID = 1000

Description = Faulting application EZNewsClient.exe, version 4.3.17.0, faulting

module EZAccessor.dll, version 3.3.1.0, fault address 0x0013c96d.

[ System Events ]

Error - 9/3/2010 10:45:06 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver PDF Complete Converter required for printer PDF Complete is

unknown. Contact the administrator to install the driver before you log in again.

Error - 9/4/2010 2:43:41 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver HP Color LaserJet 3700 PCL 6 required for printer HP Color

LaserJet 3700 B&W is unknown. Contact the administrator to install the driver before

you log in again.

Error - 9/4/2010 2:43:41 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver HP Color LaserJet 3700 PCL 6 required for printer HP Color

LaserJet 3700 PCL 6 is unknown. Contact the administrator to install the driver

before you log in again.

Error - 9/4/2010 2:43:41 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver HP LaserJet 3050 Series PCL 6 required for printer HP LaserJet

3050 Series PCL 6 is unknown. Contact the administrator to install the driver before

you log in again.

Error - 9/4/2010 2:43:42 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver HP LaserJet 3050_3055_3390_3392 Fax required for printer HP

LaserJet 3050_3055_3390_3392 Fax is unknown. Contact the administrator to install

the driver before you log in again.

Error - 9/4/2010 2:43:42 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver PDF Complete Converter required for printer PDF Complete is

unknown. Contact the administrator to install the driver before you log in again.

Error - 9/4/2010 2:43:42 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver PDF995 Printer Driver required for printer PDF995 is unknown.

Contact the administrator to install the driver before you log in again.

Error - 9/4/2010 3:20:20 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver OKI C5200n required for printer OKI C5200n is unknown. Contact

the administrator to install the driver before you log in again.

Error - 9/4/2010 3:20:20 PM | Computer Name = EBI-TERMSERV1 | Source = TermServDevices | ID = 1111

Description = Driver Send To Microsoft OneNote Driver required for printer An OneNote

2007 senden is unknown. Contact the administrator to install the driver before

you log in again.

Error - 9/4/2010 3:31:12 PM | Computer Name = EBI-TERMSERV1 | Source = Service Control Manager | ID = 7034

Description = The MBAMService service terminated unexpectedly. It has done this

1 time(s).

< End of report >

---------------------------

ARK.TXT

-------------------------

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-09-04 14:50:22

Windows 5.2.3790 Service Pack 2

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.EBI\LOCALS~1\Temp\awrcyaod.sys

---- System - GMER 1.0.15 ----

INT 0x51 ? 93760A3C

INT 0x52 ? 93AFCA3C

INT 0x53 ? 93AD1A3C

INT 0x63 ? 93B73A3C

INT 0x73 ? 93FD2A3C

INT 0x83 ? 94077A3C

INT 0x93 ? 93987A3C

INT 0xA2 ? 93762A3C

INT 0xA3 ? 93ACDA3C

INT 0xA4 ? 93B7EA3C

INT 0xB1 ? 9405AA3C

INT 0xB3 ? 93AFBA3C

INT 0xB4 ? 93CE4A3C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Dfs.sys (Distributed File System Filter Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\HP Universal Printing PCL 6@DMC Files ???0????3389:TCP:*:Enabled:@xpsp2res.dll,-22009?ad??? ???????????????????0???0????,?????& ???????????????????i??AdapterNameClassis??? ???????l??????Lt???????????i???????s???????0???N?????????sm3??????????????C:\Program Files\AVG\AVG8\avgdiag.exe:*:Enabled:avgdiag.exe?????C:\Program Files\AVG\AVG8\avgdiagex.exe:*:Enabled:avgdiagex.exe??????$t??0??????????????????????????C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe??????0?<??Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.???????????????o?????rte???????????.?????r t???6?6s????????????#?????r?(???0??? ???????$?????0???????????????????????????????????????*?<??? ???????r?????.cf???0??C:\ositraffic\OsiTraffic32.exe:*:Enabled:OsiTraffic32.exe????????0?????0?4??Inactive TS Port?PRN7????????????0???P??????? ???????0???????????????????????????????f?

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis@DisplayName Server Task

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis@Type 32

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis@Start 2

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis@ObjectName LocalSystem

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis@Description Provides launch functionality for DCOM services.

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis\Parameters (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\dvvnwis\Parameters@ServiceDll C:\WINDOWS\system32\qooahsu.dll

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.