Fred007

Members

View Profile See their activity

Posts
4
Joined
August 23, 2010
Last visited
August 30, 2010

Reputation

0 Neutral

I am sending out lots of Spam

Fred007 replied to Fred007's topic in Resolved Malware Removal Logs

Yes this is a small business. It is Microsoft Small Business Server 2003 We put the free version of malware on when we started having problems. We have since ordered the full version but have not updated the software yet because we did not want to alter any of the results. should we go ahead and finish the registration and rerun Malware? Thanks Fred
- August 26, 2010
- 6 replies
I am sending out lots of Spam

Fred007 replied to Fred007's topic in Resolved Malware Removal Logs

Thanks for the reply! First log OTL.txt as follows: OTL logfile created on: 8/26/2010 3:37:26 PM - Run 1 OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Administrator\Desktop Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController Internet Explorer (Version = 6.0.3790.3959) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 45.00% Memory free 8.00 Gb Paging File | 5.00 Gb Available in Paging File | 66.00% Paging File free Paging file location(s): c:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 19.99 Gb Total Space | 7.22 Gb Free Space | 36.15% Space Free | Partition Type: NTFS Drive D: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS Drive E: | 48.00 Gb Total Space | 14.33 Gb Free Space | 29.86% Space Free | Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive R: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS Drive V: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS Computer Name: CLOWER-08 Current User Name: administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe PRC - [2010/06/22 08:48:23 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe PRC - [2010/06/22 08:48:18 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe PRC - [2010/06/22 08:48:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe PRC - [2010/06/22 08:48:12 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe PRC - [2010/06/22 08:48:10 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe PRC - [2010/06/22 08:48:09 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe PRC - [2009/08/06 21:43:46 | 000,034,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Update Services\service\bin\wsusservice.exe PRC - [2009/05/28 12:14:55 | 000,157,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe PRC - [2009/02/16 06:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe PRC - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe PRC - [2008/12/16 20:39:30 | 009,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe PRC - [2008/11/25 23:59:27 | 005,266,432 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\store.exe PRC - [2008/11/25 22:43:19 | 003,598,848 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\emsmta.exe PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe PRC - [2008/11/24 22:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe PRC - [2007/04/23 11:53:45 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/04/23 11:53:45 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe PRC - [2007/04/23 11:53:45 | 000,509,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logon.scr PRC - [2007/04/23 11:53:45 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe PRC - [2007/04/23 11:53:45 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe PRC - [2007/04/23 11:53:45 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe PRC - [2007/04/23 11:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe PRC - [2007/04/23 11:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe PRC - [2007/04/23 11:53:45 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe PRC - [2007/04/23 11:53:45 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe PRC - [2007/04/23 11:53:45 | 000,027,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\davcdata.exe PRC - [2007/04/23 11:53:45 | 000,021,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe PRC - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe PRC - [2007/04/23 11:53:45 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe PRC - [2007/04/19 14:08:48 | 000,031,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\OWSTIMER.EXE PRC - [2006/10/23 00:48:20 | 000,040,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe PRC - [2006/04/07 15:40:48 | 000,061,526 | ---- | M] ( ) -- C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe PRC - [2006/02/15 12:48:00 | 000,176,128 | R--- | M] () -- C:\Program Files\RAID Web Console 2\MegaMonitor\Monitor.exe PRC - [2005/11/06 08:48:26 | 000,040,960 | ---- | M] () -- C:\Program Files\RAID Web Console 2\Framework\VivaldiFramework.exe PRC - [2005/08/25 21:10:14 | 008,920,064 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\mad.exe PRC - [2005/08/25 21:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- E:\exchange\bin\exmgmt.exe PRC - [2005/05/03 22:07:32 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe PRC - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE PRC - [2005/04/29 19:53:57 | 000,022,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows Small Business Server\Monitoring\wblogsvc.exe PRC - [2005/04/29 19:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe PRC - [2005/01/15 10:12:56 | 000,045,163 | ---- | M] () -- C:\Program Files\RAID Web Console 2\JRE\bin\javaw.exe PRC - [2003/09/28 16:16:12 | 000,237,568 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHost.exe ========== Modules (SafeList) ========== MOD - [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe MOD - [2007/04/23 11:53:45 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx MOD - [2007/04/23 11:53:45 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll MOD - [2007/02/17 01:04:16 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- -- (WinHttpAutoProxySvc) SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ) SRV - [2010/06/22 08:48:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd) SRV - [2009/08/06 21:43:46 | 000,034,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Update Services\Service\bin\WsusService.exe -- (WsusService) SRV - [2009/08/06 21:35:52 | 000,066,984 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Update Services\Service\bin\WsusCertServer.exe -- (WSusCertServer) SRV - [2009/05/28 12:14:55 | 000,157,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS) Windows Internet Name Service (WINS) SRV - [2009/02/16 06:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS) SRV - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe -- (MSSQL$SBSMONITORING) SRV - [2008/12/16 20:39:30 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe -- (MSSQL$SHAREPOINT) SRV - [2008/12/16 17:51:14 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE -- (SQLAgent$SHAREPOINT) SRV - [2008/11/25 23:59:27 | 005,266,432 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\store.exe -- (MSExchangeIS) SRV - [2008/11/25 22:43:19 | 003,598,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\emsmta.exe -- (MSExchangeMTA) SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter) SRV - [2008/11/24 22:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe -- (MSSQL$MICROSOFT##SSEE) Windows Internal Database (MICROSOFT##SSEE) SRV - [2007/09/07 13:12:20 | 000,038,424 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\PDS.EXE -- (Intel PDS) SRV - [2007/09/07 13:12:20 | 000,030,232 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\CBA\XFR.EXE -- (Intel File Transfer) SRV - [2007/09/07 13:12:16 | 000,058,912 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\IAO.EXE -- (Intel Alert Originator) SRV - [2007/09/07 13:12:16 | 000,038,440 | ---- | M] (LANDesk Software Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler) SRV - [2007/04/23 11:53:45 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs) SRV - [2007/04/23 11:53:45 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC) SRV - [2007/04/23 11:53:45 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs) SRV - [2007/04/23 11:53:45 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService) SRV - [2007/04/23 11:53:45 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis) SRV - [2007/04/23 11:53:45 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH) SRV - [2007/04/23 11:53:45 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv) SRV - [2007/04/23 11:53:45 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr) SRV - [2007/04/23 11:53:45 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ) SRV - [2007/04/23 11:53:45 | 000,037,888 | ---- | M] (Microsoft Corporation) [unknown | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore) SRV - [2007/04/23 11:53:45 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (DHCPServer) SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP) SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc) SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc) SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc) Network News Transfer Protocol (NNTP) SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc) SRV - [2007/04/23 11:53:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN) SRV - [2007/04/23 11:53:45 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr) SRV - [2007/04/19 14:08:48 | 000,031,584 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE -- (SPTimer) SRV - [2006/02/15 12:48:00 | 000,176,128 | R--- | M] () [Auto | Running] -- C:\Program Files\RAID Web Console 2\MegaMonitor\Monitor.exe -- (MegaMonitorSrv) SRV - [2005/11/06 08:48:26 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\Program Files\RAID Web Console 2\Framework\VivaldiFramework.exe -- (MSMFramework) SRV - [2005/08/25 21:10:14 | 008,920,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\mad.exe -- (MSExchangeSA) SRV - [2005/08/25 21:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\exchange\bin\exmgmt.exe -- (MSExchangeMGMT) SRV - [2005/08/25 20:29:52 | 000,339,456 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- E:\exchange\bin\srsmain.exe -- (MSExchangeSRS) SRV - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE -- (SQLAgent$SBSMONITORING) SRV - [2005/04/29 19:53:57 | 000,022,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows Small Business Server\Monitoring\wblogsvc.exe -- (WBLOGSVC) SRV - [2005/04/29 19:53:18 | 000,033,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector) SRV - [2003/09/28 16:16:12 | 000,237,568 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] -- C:\Program Files\DigitalPersona\Bin\DpHost.exe -- (DpHost) SRV - [2003/06/03 02:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- E:\exchange\bin\events.exe -- (MSExchangeES) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2010/06/22 08:48:12 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86) DRV - [2010/06/01 08:02:37 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86) DRV - [2010/04/28 10:45:31 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86) DRV - [2008/05/06 10:06:59 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TOUCHDSP.sys -- (TOUCHDSP) DRV - [2008/05/06 10:06:59 | 000,020,736 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TouchSta.SYS -- (TOUCHSTA) DRV - [2007/04/23 11:53:45 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS) DRV - [2007/04/23 11:53:45 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ClusDisk.sys -- (ClusDisk) DRV - [2007/04/23 11:53:45 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver) DRV - [2007/02/17 03:07:16 | 000,029,184 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra) DRV - [2007/02/17 03:04:28 | 000,028,160 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx) DRV - [2007/02/17 03:04:28 | 000,026,624 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3) DRV - [2007/02/17 03:04:28 | 000,024,064 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi) DRV - [2007/02/17 02:34:06 | 000,024,064 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x) DRV - [2007/02/17 01:51:06 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dpti2o.sys -- (dpti2o) DRV - [2007/02/17 01:31:22 | 000,009,216 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde) DRV - [2007/02/16 22:55:58 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C) DRV - [2007/01/29 14:37:12 | 000,047,104 | ---- | M] (DigitalPersona, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbdpfp.sys -- (usbdpfp) DRV - [2007/01/29 14:37:12 | 000,046,592 | ---- | M] (DigitalPersona, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dpK00701.sys -- (dpK00701) DRV - [2006/04/05 22:03:54 | 001,431,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006/04/03 08:51:06 | 000,199,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel® DRV - [2006/02/17 12:42:32 | 000,018,432 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MSAS2K3.SYS -- (msas2k3) DRV - [2006/02/17 12:42:32 | 000,017,280 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MEGASAS.SYS -- (megasas) DRV - [2005/08/25 19:29:06 | 000,196,192 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS) DRV - [2003/03/24 22:13:08 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810) DRV - [2003/03/24 22:05:14 | 000,048,640 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160) DRV - [2003/03/24 22:05:14 | 000,041,472 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080) DRV - [2003/03/24 22:05:12 | 000,050,688 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280) DRV - [2003/03/24 22:05:08 | 000,054,272 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k) DRV - [2003/03/24 22:05:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cpqarray.sys -- (Cpqarray) DRV - [2003/03/24 22:04:50 | 000,007,168 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://companyweb IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-96185218-4171969023-2960831864-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = clower-08:80 O1 HOSTS File: ([2007/04/23 11:53:45 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [DWPersistentQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation) O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe (SurfRight B.V.) O4 - HKLM..\Run: [patches] File not found O4 - HKLM..\Run: [Popup] C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe ( ) O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\AIXV5\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\frednusbaum\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\gaines\Start Menu\Programs\Startup\Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1 O7 - HKU\S-1-5-21-96185218-4171969023-2960831864-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ClowerElectric.local O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found O24 - Desktop WallPaper: C:\WINDOWS\nexlinkrev2.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\nexlinkrev2.bmp O27 - HKLM IFEO\sethc.exe: Debugger - c:\windows\system32\Microsoft\Protect\PINTLPRH.exe () O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2007/10/02 13:37:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{f7c5e005-0ce4-11dd-9737-00151755bf05}\Shell - "" = AutoRun O33 - MountPoints2\{f7c5e005-0ce4-11dd-9737-00151755bf05}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{f7c5e005-0ce4-11dd-9737-00151755bf05}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation) NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.) Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.) SystemRestore not available. ========== Files/Folders - Created Within 90 Days ========== [2010/08/26 15:35:52 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2010/08/24 16:52:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/08/23 16:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\mbam-other [2010/08/20 12:46:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\TCPView [2010/08/18 22:31:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes [2010/08/18 22:30:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/08/18 22:30:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/08/18 22:30:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/08/18 22:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/08/18 22:30:12 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe [2010/08/18 17:23:33 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe [2010/08/18 14:15:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro [2010/08/18 14:15:16 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5 [2010/08/18 12:56:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump [2010/07/10 07:50:37 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy [2010/06/22 08:48:17 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll [2010/06/02 07:26:17 | 000,000,000 | -H-D | C] -- C:\$AVG [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 90 Days ========== [2010/08/26 15:39:00 | 000,000,662 | ---- | M] () -- C:\WINDOWS\tasks\Update Services synchronization task.job [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2010/08/26 15:35:42 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys [2010/08/26 15:23:38 | 000,029,520 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa [2010/08/26 14:54:53 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Collect Server Performance Data.job [2010/08/26 14:54:01 | 000,000,628 | ---- | M] () -- C:\WINDOWS\tasks\Update Services auto approval task.job [2010/08/26 12:17:19 | 002,621,440 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2010/08/26 12:17:19 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini [2010/08/26 12:15:26 | 000,004,542 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf [2010/08/26 12:12:59 | 000,000,435 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics [2010/08/26 12:12:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/08/26 12:11:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/08/26 12:08:27 | 003,761,508 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db [2010/08/26 12:00:05 | 000,000,764 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{c2f76b41-06fe-11dd-ad35-806e6f6e6963}.job [2010/08/26 08:54:00 | 000,000,820 | ---- | M] () -- C:\WINDOWS\tasks\Update Services configuration task.job [2010/08/26 06:14:17 | 063,903,826 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2010/08/26 04:54:10 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Collect Usage Data.job [2010/08/24 16:52:06 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk [2010/08/23 17:31:33 | 430,403,584 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP [2010/08/23 16:57:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/08/23 07:31:15 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/08/18 22:30:50 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/08/18 22:30:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe [2010/08/18 17:23:33 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe [2010/08/18 14:15:18 | 000,001,684 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk [2010/08/16 14:42:47 | 001,406,224 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/08/16 14:42:47 | 001,067,636 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/08/16 14:42:47 | 000,303,638 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/08/16 12:44:15 | 000,103,032 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/08/16 11:59:29 | 000,004,861 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/07/28 10:52:17 | 000,030,208 | ---- | M] () -- \\CLOWER-08\Users\administrator\My Documents\Barnabas Ministry - Morrison.doc [2010/06/22 08:48:17 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll [2010/06/22 08:48:12 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys [2010/06/16 08:36:53 | 000,025,088 | ---- | M] () -- \\CLOWER-08\Users\administrator\My Documents\Life with my Wife.doc [2010/06/01 08:02:37 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/08/24 16:52:06 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk [2010/08/23 16:57:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/08/18 22:30:50 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/08/18 14:15:31 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys [2010/08/18 14:15:18 | 000,001,684 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk [2010/07/28 10:52:13 | 000,030,208 | ---- | C] () -- \\CLOWER-08\Users\administrator\My Documents\Barnabas Ministry - Morrison.doc [2010/07/10 07:50:30 | 000,041,732 | ---- | C] () -- C:\WINDOWS\System32\c.msc [2010/07/10 07:50:30 | 000,034,885 | ---- | C] () -- C:\WINDOWS\System32\t.msc [2009/11/10 15:48:49 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/10/16 03:32:19 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI [2008/07/25 12:10:12 | 000,020,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\TouchSta.SYS [2008/06/12 16:06:09 | 000,000,162 | -H-- | C] () -- C:\Program Files\Common Files\client.lcs [2008/05/06 10:32:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008/04/26 08:53:57 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat [2008/04/25 23:57:33 | 000,011,597 | ---- | C] () -- C:\WINDOWS\System32\dnsperf.ini [2008/04/23 06:51:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI [2008/04/17 17:42:16 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat [2008/04/17 17:26:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2008/04/17 17:19:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini [2008/04/17 17:18:45 | 000,017,579 | ---- | C] () -- C:\WINDOWS\System32\nntpctrs.ini [2008/04/17 17:11:42 | 000,002,360 | ---- | C] () -- C:\WINDOWS\System32\dhcpctrs.ini [2007/10/02 15:11:30 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2007/10/02 13:34:05 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini [2007/10/02 13:34:05 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini [2007/10/02 13:34:02 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini [2007/10/02 13:34:01 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini [2007/10/02 13:34:01 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini [2007/10/02 13:25:49 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini [2007/10/02 13:25:46 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini [2007/10/02 13:25:46 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini [2007/10/02 13:25:46 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini [2007/10/02 13:25:41 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini [2007/10/02 13:25:40 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini [2005/08/26 15:36:48 | 000,880,640 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll [2005/08/26 15:36:48 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI ========== LOP Check ========== [2010/04/07 16:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Tific [2010/08/19 16:31:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9 [2010/08/18 17:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro [2010/06/01 08:01:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gaines\Application Data\AVG9 [2010/04/22 16:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gaines\Application Data\Tific [2010/08/26 15:45:00 | 000,000,496 | ---- | M] () -- C:\WINDOWS\Tasks\Collect Server Performance Data.job [2010/08/26 04:54:10 | 000,000,470 | ---- | M] () -- C:\WINDOWS\Tasks\Collect Usage Data.job [2010/04/07 13:44:46 | 000,000,234 | ---- | M] () -- C:\WINDOWS\Tasks\rb-Default.job [2009/08/03 16:19:15 | 000,000,232 | ---- | M] () -- C:\WINDOWS\Tasks\rb-Weekly.job [2010/08/26 13:09:00 | 000,032,526 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt [2010/08/26 12:00:05 | 000,000,764 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{c2f76b41-06fe-11dd-ad35-806e6f6e6963}.job [2010/08/26 14:54:01 | 000,000,628 | ---- | M] () -- C:\WINDOWS\Tasks\Update Services auto approval task.job [2010/08/26 08:54:00 | 000,000,820 | ---- | M] () -- C:\WINDOWS\Tasks\Update Services configuration task.job [2010/08/26 15:44:00 | 000,000,662 | ---- | M] () -- C:\WINDOWS\Tasks\Update Services synchronization task.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2007/10/02 13:37:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT [2009/08/13 08:26:56 | 000,000,223 | RHS- | M] () -- C:\boot.ini [2007/10/02 13:37:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS [2007/10/02 13:37:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2007/10/02 13:37:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2007/04/23 11:53:45 | 000,047,772 | RHS- | M] () -- C:\NTDETECT.COM [2007/04/23 11:53:45 | 000,297,072 | RHS- | M] () -- C:\ntldr [2009/08/02 10:04:58 | 000,262,144 | ---- | M] () -- C:\ntuser.dat [2009/08/02 10:04:58 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG [2010/08/26 12:11:56 | 4288,438,272 | -HS- | M] () -- C:\pagefile.sys [2010/08/26 15:34:43 | 000,081,318 | ---- | M] () -- C:\popuplog.log < %systemroot%\Fonts\*.com > [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont < %systemroot%\Fonts\*.dll > < %systemroot%\Fonts\*.ini > [2007/10/02 13:37:16 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini < %systemroot%\Fonts\*.ini2 > < %systemroot%\Fonts\*.exe > < %systemroot%\system32\spool\prtprocs\w32x86\*.* > [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe [2007/04/23 11:53:45 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\sfmpsprt.dll < %systemroot%\REPAIR\*.bak1 > < %systemroot%\REPAIR\*.ini > < %systemroot%\system32\*.jpg > < %systemroot%\*.jpg > < %systemroot%\*.png > < %systemroot%\*.scr > < %systemroot%\*._sy > < %APPDATA%\Adobe\Update\*.* > < %ALLUSERSPROFILE%\Favorites\*.* > < %APPDATA%\Microsoft\*.* > < %PROGRAMFILES%\*.* > < %APPDATA%\Update\*.* > < %systemroot%\*. /mp /s > < %systemroot%\System32\config\*.sav > [2007/10/02 06:28:53 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav [2007/10/02 06:28:53 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2007/10/02 06:28:53 | 000,495,616 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav < %PROGRAMFILES%\bak. /s > < %systemroot%\system32\bak. /s > < %ALLUSERSPROFILE%\Start Menu\*.lnk /x > [2007/10/02 13:37:56 | 000,000,214 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini < %systemroot%\system32\config\systemprofile\*.dat /x > [2007/10/02 06:32:37 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Sti_Trace.log < %systemroot%\*.config > < %systemroot%\system32\*.db > < %PROGRAMFILES%\Internet Explorer\*.dat > < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x > [2008/04/10 14:33:06 | 000,000,117 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini [2007/10/02 13:42:16 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf < %USERPROFILE%\Desktop\*.exe > [2008/06/12 16:04:42 | 025,650,405 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gaines-setup-setup.exe [2010/03/12 11:03:00 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe [2010/03/12 11:02:00 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThisInstaller.exe [2010/08/18 22:30:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe [2008/04/08 11:12:18 | 000,181,763 | ---- | M] (UltraVnc) -- C:\Documents and Settings\Administrator\Desktop\NEISupport.exe [2010/08/26 15:35:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe < %PROGRAMFILES%\Common Files\*.* > [2008/06/12 16:06:09 | 000,000,162 | -H-- | M] () -- C:\Program Files\Common Files\client.lcs < %systemroot%\*.src > < %systemroot%\install\*.* > < %systemroot%\system32\DLL\*.* > < %systemroot%\system32\HelpFiles\*.* > < %systemroot%\system32\rundll\*.* > < %systemroot%\winn32\*.* > < %systemroot%\Java\*.* > < %systemroot%\system32\test\*.* > < %systemroot%\system32\Rundll32\*.* > < %systemroot%\AppPatch\Custom\*.* > [2007/04/23 11:53:45 | 000,001,542 | ---- | M] () -- C:\WINDOWS\AppPatch\Custom\{425516c2-f76f-4a49-b8eb-83fc24f40599}.sdb < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x > < %PROGRAMFILES%\PC-Doctor\Downloads\*.* > < %PROGRAMFILES%\Internet Explorer\*.tmp > < %PROGRAMFILES%\Internet Explorer\*.dat > < %USERPROFILE%\My Documents\*.exe > < %USERPROFILE%\*.exe > < %PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5 > < %PROGRAMFILES%\Internet Explorer\iexplore.exe /md5 > [2007/04/23 11:53:45 | 000,094,208 | ---- | M] (Microsoft Corporation) MD5=E3ECE6202C2C667C45D06DBB4DEBD8E9 -- C:\Program Files\Internet Explorer\IEXPLORE.EXE < %systemroot%\ADDINS\*.* > [2007/04/23 11:53:45 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf < %systemroot%\assembly\*.bak2 > < %systemroot%\Config\*.* > < %systemroot%\REPAIR\*.bak2 > < %systemroot%\SECURITY\Database\*.sdb /x > < %systemroot%\SYSTEM\*.bak2 > < %systemroot%\Web\*.bak2 > < %systemroot%\Driver Cache\*.* > < %PROGRAMFILES%\Mozilla Firefox\0*.exe > < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > "NoAutoUpdate" = 0 "AUOptions" = 3 "RescheduleWaitTimeEnabled" = 1 "RescheduleWaitTime" = 1 "RebootWarningTimeoutEnabled" = 1 "RebootWarningTimeout" = 5 "RebootRelaunchTimeoutEnabled" = 1 "RebootRelaunchTimeout" = 10 "DetectionFrequencyEnabled" = 1 "DetectionFrequency" = 1 "AutoInstallMinorUpdates" = 1 "UseWUServer" = 1 "NoAutoRebootWithLoggedOnUsers" = 0 < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-04-15 08:13:27 < ipconfig /all > Invalid Switch: all < nslookup google.com > < nslookup yahoo.com > < ping -n 2 google.com > < ping -n 2 yahoo.com > < route print > < End of report > Second log Extra's as follows: OTL Extras logfile created on: 8/26/2010 3:37:26 PM - Run 1 OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Administrator\Desktop Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController Internet Explorer (Version = 6.0.3790.3959) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 45.00% Memory free 8.00 Gb Paging File | 5.00 Gb Available in Paging File | 66.00% Paging File free Paging file location(s): c:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 19.99 Gb Total Space | 7.22 Gb Free Space | 36.15% Space Free | Partition Type: NTFS Drive D: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS Drive E: | 48.00 Gb Total Space | 14.33 Gb Free Space | 29.86% Space Free | Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive R: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS Drive V: | 271.94 Gb Total Space | 218.22 Gb Free Space | 80.24% Space Free | Partition Type: NTFS Computer Name: CLOWER-08 Current User Name: administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusOverride" = 0 "FirewallOverride" = 0 "UpdatesDisableNotify" = 0 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UacDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe" = C:\Program Files\RAID Web Console 2\MegaPopup\popup.exe:*:Enabled:popup -- ( ) "C:\Program Files\RAID Web Console 2\JRE\bin\javaw.exe" = C:\Program Files\RAID Web Console 2\JRE\bin\javaw.exe:*:Enabled:javaw -- () "C:\Program Files\Common Files\IMPMIG.EXE" = C:\Program Files\Common Files\IMPMIG.EXE:*:Enabled:IMPMIG -- File not found "C:\Program Files\Common Files\AcroIEHelper.exe" = C:\Program Files\Common Files\AcroIEHelper.exe:*:Enabled:AcroIEHelper -- File not found ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{05DEE64C-B63B-495A-B36C-4277663FAAA0}" = Windows Small Business Server ActiveSync "{108BE742-0564-4734-AE54-74F81263FB04}" = Windows Small Business Server Licensing "{2C0D7E35-EE6E-4DC7-BA13-2C68AEDEB59D}" = Windows Server Update Services 3.0 SP2 "{396B1960-EB6D-48F5-AA7B-377921A1A33D}" = RAID Web Console 2 v1.13-02 "{3CE06D54-72B1-44B2-AB60-E4277EC80EF4}" = Microsoft XML Parser "{3CF8BDBC-DA0F-45FA-A4B9-3A31CCE774E9}" = Windows Small Business Server Backup "{53BE2241-531B-49FB-B03D-06C377179548}" = Windows Small Business Server IE Client App "{5546F70C-0437-44EE-A923-7C23E6EFF689}" = Windows Small Business Server Monitoring "{65657C59-23A8-4974-B8E0-BA04EBD04E4F}" = Microsoft SQL Server Desktop Engine (SHAREPOINT) "{671E4E4D-4798-4F66-9C9E-C5762E73179E}" = Microsoft XML Parser "{7FB55E52-C72D-4165-85D0-383ED3D7253F}" = Windows Small Business Server Client Setup "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{8952E993-139E-4E71-881F-DD40E4DB8F81}" = Windows Small Business Server Admin "{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003 "{91140409-7000-11D3-8CFE-0150048383C9}" = Microsoft Windows SharePoint Services 2.0 "{91710409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting "{9189BADC-23A7-487D-B206-AD3A89A4F45D}" = Windows Small Business Server Fax "{91B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting "{977605C6-4F60-426A-AC11-D27404B3866C}" = Default "{A2B40ABC-025A-4389-8148-86CED357B259}" = Microsoft Connector for POP3 Mailboxes "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A34AC564-B4A3-4D45-B969-403BC39F0E6A}" = Microsoft .NET Framework 1.1 -- Device Update 4.0 "{A5E98C65-585A-45AB-BFC3-8555305B9929}" = Windows Small Business Server Documents "{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8 "{B58E39B9-12E2-4E9B-A01B-9B896C6A52A8}" = Windows Small Business Server Connectivity "{B7300824-E68F-45F1-BAC1-5F15636C346F}" = Microsoft SQL Server Desktop Engine (SBSMonitoring) "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C293E1D0-8085-4830-B806-1BA0FEF9C4A4}" = Windows Small Business Server Client Experience "{C73E81BF-432C-44E2-831D-F46081CA6E28}" = Windows Small Business Server Remote Portal "{CA3553E0-191B-4E2F-AD3C-82E33CB9D4E4}" = Microsoft Group Policy Management Console with SP1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB}" = Windows Internal Database (MICROSOFT##SSEE) "{CF2BCF99-1A5A-4F0A-923E-29B2E029E66C}" = DigitalPersona Gold Fingerprint Recognition Software 3.2.0 "{D846DDEE-EDF2-445F-96A4-175544202D32}" = Windows Small Business Server Fax Cfg "{E0AF53C1-C734-4D68-898E-B506CA921141}" = Windows Small Business Server Update Services "{E721BEC1-887A-4D26-BE10-7E0336B7CAC7}" = Windows Small Business Server Common "{F0674B40-D8C3-11D3-8C61-00104B1F6CF0}" = Remote Backup 2007 "18BB9B0552BA675902E31409A34F929D9C9AD56C" = Windows Driver Package - Intel (e1express) Net (04/03/2006 9.3.39.0) "2186E77AD6E7C7071CED9BFA90127C3C088F9CAB" = Windows Driver Package - ESG-SHV System (09/19/2006 5.00.6262.1) "5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA" = Windows Small Business Server 2003 "60E32FC9593A7CBEACF68913FA836F324BF623F1" = Windows Driver Package - Intel System (01/19/2006 1.2.43.0) "80087CDF19A4CE2FBB535E7DC99A0E50FFA25589" = Windows Driver Package - Intel (E1000) Net (01/06/2006 8.6.17.0) "ActiveTouchMeetingClient" = WebEx "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "AF2644056DAD431E530AF5FE0505FFD67426CA81" = Windows Driver Package - ESG-SHV System (02/24/2006 5.00.6055.2) "ATI Display Driver" = ATI Display Driver "AVG9Uninstall" = AVG 9.0 "HijackThis" = HijackThis 2.0.2 "HitmanPro35" = Hitman Pro 3.5 "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft Health Monitor 2.1" = Microsoft Health Monitor 2.1 "PROSet" = Intel® PRO Network Connections Drivers "Small Business Server 2003 R2" = Windows Small Business Server 2003 R2 "WIC" = Windows Imaging Component "Windows Internal Database" = Windows Internal Database "Windows Server Update Services 3.0 SP2" = Windows Server Update Services 3.0 SP2 ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 8/26/2010 4:44:15 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174 Description = A non-delivery report with a status code of 4.7.1 was generated for recipient rfc822;astelcolls@selco2000.com (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>). Error - 8/26/2010 4:44:19 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174 Description = A non-delivery report with a status code of 4.7.1 was generated for recipient rfc822;asteele.student@mountsaintvincent.edu (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>). Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162 Description = A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;astephenson@sfg1.net (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>). Causes: This message indicates a DNS problem or an IP address configuration problem Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format. For more information, click http://www.microsoft.com/contentredirect.asp. Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162 Description = A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;aster.9341.5066832@candygoat.com (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>). Causes: This message indicates a DNS problem or an IP address configuration problem Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format. For more information, click http://www.microsoft.com/contentredirect.asp. Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162 Description = A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;aster.9838.3206873@candygoat.com (Message-ID <CLOWER-08WwAJIlZ5cN00002359@clowerelectric.com>). Causes: This message indicates a DNS problem or an IP address configuration problem Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format. For more information, click http://www.microsoft.com/contentredirect.asp. Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162 Description = A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;hostmaster@candygoat.com (Message-ID <CLOWER-08Xa69FuM2F000005965@clowerelectric.com>). Causes: This message indicates a DNS problem or an IP address configuration problem Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format. For more information, click http://www.microsoft.com/contentredirect.asp. Error - 8/26/2010 4:44:23 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162 Description = A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;10005.959808@candygoat.com (Message-ID <CLOWER-08DjoYAPNXRP0000173a@clowerelectric.com>). Causes: This message indicates a DNS problem or an IP address configuration problem Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format. For more information, click http://www.microsoft.com/contentredirect.asp. Error - 8/26/2010 4:44:41 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174 Description = A non-delivery report with a status code of 4.7.1 was generated for recipient rfc822;jetpilot@execpc.com (Message-ID <CLOWER-086PmiZWHHmT000056c8@clowerelectric.com>). Error - 8/26/2010 4:44:55 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265174 Description = A non-delivery report with a status code of 4.7.1 was generated for recipient rfc822;adpenner@iastate.edu (Message-ID <CLOWER-080Qp9jBQIjo000026e1@clowerelectric.com>). Error - 8/26/2010 4:46:36 PM | Computer Name = CLOWER-08 | Source = MSExchangeTransport | ID = 265162 Description = A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;gnto7m@sbprss.com (Message-ID <CLOWER-0819qW2CoKkH00005379@clowerelectric.com>). Causes: This message indicates a DNS problem or an IP address configuration problem Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format. For more information, click http://www.microsoft.com/contentredirect.asp. [ DNS Server Events ] Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4015 Description = The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone _msdcs.ClowerElectric.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 5/22/2010 8:05:45 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone ClowerElectric.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4015 Description = The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone _msdcs.ClowerElectric.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone 1.168.192.in-addr.arpa. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. Error - 8/26/2010 1:08:44 PM | Computer Name = CLOWER-08 | Source = DNS | ID = 4004 Description = The DNS server was unable to complete directory service enumeration of zone ClowerElectric.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. [ File Replication Service Events ] Error - 8/20/2010 4:23:15 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/21/2010 7:31:18 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/21/2010 10:38:17 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/23/2010 8:31:48 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/23/2010 4:15:16 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/23/2010 6:33:10 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/24/2010 8:48:25 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/24/2010 11:54:33 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/24/2010 6:22:30 PM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = Error - 8/25/2010 10:20:58 AM | Computer Name = CLOWER-08 | Source = NtFrs | ID = 13568 Description = [ System Events ] Error - 8/26/2010 11:56:49 AM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003 Description = The master browser has received a server announcement from the computer BILL2009 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{08FA3B5C-0069-45A2-. The master browser is stopping or an election is being forced. Error - 8/26/2010 12:56:54 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003 Description = The master browser has received a server announcement from the computer BILL2009 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{08FA3B5C-0069-45A2-. The master browser is stopping or an election is being forced. Error - 8/26/2010 1:13:11 PM | Computer Name = CLOWER-08 | Source = ipnathlp | ID = 39484681 Description = The Windows Firewall/Internet Connection Sharing (ICS) service could not start because another program or service is running that might use the network address translation component (Ipnat.sys). This can occur when Routing and Remote Access is enabled. If this is the case, you must disable Routing and Remote Access before the Windows Firewall/Internet Connection Sharing (ICS) service can start. Error - 8/26/2010 1:13:21 PM | Computer Name = CLOWER-08 | Source = Service Control Manager | ID = 7009 Description = Timeout (30000 milliseconds) waiting for the Intel PDS service to connect. Error - 8/26/2010 1:13:21 PM | Computer Name = CLOWER-08 | Source = Service Control Manager | ID = 7023 Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: %%170 Error - 8/26/2010 1:22:45 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003 Description = The master browser has received a server announcement from the computer YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being forced. Error - 8/26/2010 2:22:51 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003 Description = The master browser has received a server announcement from the computer YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being forced. Error - 8/26/2010 3:22:59 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003 Description = The master browser has received a server announcement from the computer YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being forced. Error - 8/26/2010 4:23:01 PM | Computer Name = CLOWER-08 | Source = MRxSmb | ID = 8003 Description = The master browser has received a server announcement from the computer YOUR-98FBDD8ADB that believes that it is the master browser for the domain on transport NetBT_Tcpip_{08FA3B5C-006. The master browser is stopping or an election is being forced. Error - 8/26/2010 4:34:43 PM | Computer Name = CLOWER-08 | Source = TermServDevices | ID = 1111 Description = Driver HP Photosmart C4600 series required for printer !!JO-PC!HP Photosmart C4600 series is unknown. Contact the administrator to install the driver before you log in again. < End of report > Hope this helps. Fred
- August 26, 2010
- 6 replies
I am sending out lots of Spam

Fred007 posted a topic in Resolved Malware Removal Logs

After running Malwarebytes I got the following log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4451 Windows 5.2.3790 Service Pack 2 Internet Explorer 6.0.3790.3959 8/23/2010 6:12:48 AM mbam-log-2010-08-23 (06-12-48).txt Scan type: Quick scan Objects scanned: 183235 Time elapsed: 5 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) After reboot and rerunning Malware I get the same results. I did the following: I ran defogger and log is attached. I ran dds.scr but it failed said it was not compatible with my OS (Small business server 2003) I ran GMER and the log is attached. Any help would be great. attach.zip
- August 24, 2010
- 6 replies
Malware not cleaning registery Keys

Fred007 posted a topic in Malwarebytes for Windows Support Forum

After running Malwarebytes I got the following log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4451 Windows 5.2.3790 Service Pack 2 Internet Explorer 6.0.3790.3959 8/23/2010 6:12:48 AM mbam-log-2010-08-23 (06-12-48).txt Scan type: Quick scan Objects scanned: 183235 Time elapsed: 5 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) After reboot and rerunning Malware I get the same results. Any suggestions? Thanks Fred
- August 23, 2010
- 1 reply

Sign In

Fred007

Posts

Joined

Last visited

Reputation

I am sending out lots of Spam

I am sending out lots of Spam

I am sending out lots of Spam

Malware not cleaning registery Keys

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information