Hi

I have got infection on Windows Server 2003 box described in: http://www.threatexpert.com/report.aspx?md...5f6550829fe01c7

I have followed remadiation steps described in: http://forums.whatthetech.com/Internet_add...ck_t103090.html
(as logs attached had same entry for magks32.dll after I run HijackThis on my machine)

However it did not work. I am guessing, it's because of different OS, e.g ComboFix could not be installed on Windows Server 2003.

Have you had a case of that particulat infostealer running on Server 2003 which you were able to remove?

Thank you for all help in advance.

HubiK

Hi HubiK,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Though I don't know of a specific case with Windows Server 2003, I also know of no reason yet that we can't get you clean. Let's start with the basics:

What have you done so far and what logs do you have you can give me?

Hi Tom,

Thank you for picking it my post. I hope you can help me in resolving this issue.

For what was done so far, well I have followed instructions in one of othe posts that had similar ifections. Basically I did below:
1. Install HJTInstall.exe
2. Run it but do nothing.
3. Install DaonolFix and run it.
4. Then I have looked through the logs and removed what looked suspicious to me.
5. Then i have downloaded OTListIt2 that was used for other post but without using extra command lines.
6. Next I have check the boxes beside LOP Check and Purity Check and run the tool.

Also below applications were installed and scan completed:
1. SUPERAntiSpywareFree Edition
2. Manwarebytes' Anti-Malware

Logs:

Hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:07:28, on 12/08/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.WinServ2k3Box\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\WINDOWS\system32\cpqriis.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPWBEM\Storage\Service\HPWMISTOR.exe
C:\Program Files\OmniBack\bin\omniinet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\HP\NCU\cpqteam.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://127.0.0.1:2381/
<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MS extension - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - xagkf32.dll (file missing)
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [CPQTEAM] C:\Program Files\HP\NCU\cpqteam.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [CA-AMAgent] "c:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-2455\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'hm26517')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-2639\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'jm102238')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-31662\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'tl36415')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-31852\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'jm100115')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-3316\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'pm15792')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-43435\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'KL102144')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-43469\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'nm102179')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-45157\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'hj101620')
O4 - HKUS\S-1-5-21-2109155881-1286560502-896338940-49374\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'sk103736')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.WinServ2k3Box\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1250068689086
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213086137323
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) - http://10.21.1.65:7777/forms/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP ProLiant Rack Infrastructure Interface Service (CpqRIIS) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqriis.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: HP WMI Storage Providers (HPWMISTOR) - Hewlett-Packard Company - C:\Program Files\HPWBEM\Storage\Service\HPWMISTOR.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Data Protector Inet (omniInet) - Hewlett-Packard - C:\Program Files\OmniBack\bin\omniinet.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

--
End of file - 10508 bytes


Here is DanolFix.exe log:
DaonolFix (15.04.09) by jpshortstuff
Log created at 17:09 on 12/08/2009 by Administrator
Running from E:\trojan\DaonolFix.exe

=====Find Daonol=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.I420"="msh263.drv"
"vidc.iyuv"="iyuv_32.dll"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"

-=Daonol Files=-
(none found)

-=End Of File=-

OTL log:
OTL logfile created on: 12/08/2009 17:18:47 - Run 3
OTL by OldTimer - Version 3.0.7.1 Folder = E:\trojan
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.74 Gb Available Physical Memory | 87.12% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): d:\pagefile.sys 9216 9216 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.99 Gb Total Space | 9.60 Gb Free Space | 60.05% Space Free | Partition Type: NTFS
Drive D: | 16.00 Gb Total Space | 6.94 Gb Free Space | 43.36% Space Free | Partition Type: NTFS
Drive E: | 35.82 Gb Total Space | 34.95 Gb Free Space | 97.57% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WinServ2k3Box
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/02/27 15:20:26 | 05,349,452 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\AClient\AClient.exe
PRC - [2008/01/11 20:11:28 | 00,010,240 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\cpqrcmc.exe
PRC - [2007/06/01 22:18:44 | 00,009,728 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\cpqriis.exe
PRC - [2008/01/17 23:27:10 | 00,638,976 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
PRC - [2007/11/09 23:01:48 | 00,019,456 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HPWBEM\Storage\Service\HPWMISTOR.exe
PRC - [2008/01/28 15:45:04 | 00,788,408 | ---- | M] (Hewlett-Packard) -- C:\Program Files\OmniBack\bin\omniinet.exe
PRC - [2007/02/17 05:00:02 | 00,040,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe
PRC - [2007/11/28 23:17:08 | 01,417,282 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\bin\smhstart.exe
PRC - [2005/04/19 12:31:04 | 00,136,704 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\UMCSTUB.EXE
PRC - [2006/02/09 02:50:00 | 00,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\CcmExec.exe
PRC - [2008/01/31 21:35:02 | 00,007,680 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CPQNiMgt\cpqnimgt.exe
PRC - [2008/01/11 20:12:14 | 00,004,608 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CpqMgmt\cqmgserv\cqmgserv.exe
PRC - [2008/03/07 15:53:02 | 00,019,456 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CpqMgmt\cqmgstor\cqmgstor.exe
PRC - [2006/11/11 05:34:44 | 00,009,216 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\System32\sysdown.exe
PRC - [2008/01/22 19:55:34 | 00,005,120 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CpqMgmt\cqmghost\cqmghost.exe
PRC - [2007/02/17 05:09:46 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2007/02/17 05:09:46 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2007/02/17 05:09:46 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2007/02/17 05:09:46 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/02/04 17:34:12 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/02/04 17:34:12 | 01,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe
PRC - [2009/02/04 17:34:12 | 02,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2009/07/28 10:53:12 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2001/10/10 23:59:26 | 00,270,336 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\Atiptaxx.exe
PRC - [2008/02/04 21:48:00 | 00,069,632 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\NCU\cpqteam.exe
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2009/07/28 10:53:12 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2007/02/17 05:09:46 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2007/05/31 13:42:14 | 00,200,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2008/05/09 00:36:00 | 00,495,616 | ---- | M] (SAP AG, Walldorf) -- C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2007/05/31 13:42:14 | 00,200,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2007/05/31 13:42:14 | 00,200,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2008/05/09 00:36:00 | 00,495,616 | ---- | M] (SAP AG, Walldorf) -- C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
PRC - [2003/12/03 17:04:40 | 09,189,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
PRC - [2008/05/09 00:36:00 | 00,495,616 | ---- | M] (SAP AG, Walldorf) -- C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
PRC - [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2007/05/31 13:42:14 | 00,200,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2007/05/31 13:42:14 | 00,200,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2007/02/17 03:58:36 | 01,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/07/29 01:28:30 | 00,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2009/02/04 17:34:12 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2009/02/04 17:34:12 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/11/04 16:50:58 | 00,076,288 | ---- | M] () -- c:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
PRC - [2007/05/31 13:42:14 | 00,200,032 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2003/12/03 17:04:40 | 09,189,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
PRC - [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2006/03/22 13:00:00 | 00,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\scrnsave.scr
PRC - [2004/01/15 18:19:16 | 10,623,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
PRC - [2007/02/17 05:09:46 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2007/02/17 04:55:16 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
PRC - [2006/03/22 13:00:00 | 00,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\scrnsave.scr
PRC - [2007/02/17 04:41:36 | 00,068,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe
PRC - [2006/03/22 13:00:00 | 00,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\scrnsave.scr
PRC - [2007/05/11 03:06:38 | 00,341,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
PRC - [2007/02/17 04:31:48 | 00,509,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\logon.scr
PRC - [2009/07/15 09:11:15 | 00,513,536 | ---- | M] (OldTimer Tools) -- E:\trojan\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/02/27 15:20:26 | 05,349,452 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\AClient\AClient.exe -- (AClient [Auto | Running])
SRV - [2005/04/19 12:31:04 | 00,136,704 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\UMCSTUB.EXE -- (AmoAgent [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/02/09 02:50:00 | 00,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\CcmExec.exe -- (CcmExec [Auto | Running])
SRV - [2008/01/22 19:55:34 | 00,200,192 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CIMntfy\cimntfy.exe -- (CIMnotify [Disabled | Stopped])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/01/31 21:35:02 | 00,007,680 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CPQNiMgt\cpqnimgt.exe -- (CpqNicMgmt [Auto | Running])
SRV - [2008/01/11 20:11:28 | 00,010,240 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\cpqrcmc.exe -- (CpqRcmc [Auto | Running])
SRV - [2007/06/01 22:18:44 | 00,009,728 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\cpqriis.exe -- (CpqRIIS [Auto | Running])
SRV - [2008/01/17 23:27:10 | 00,638,976 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe -- (cpqvcagent [Auto | Running])
SRV - [2008/01/22 19:55:34 | 00,005,120 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CpqMgmt\cqmghost\cqmghost.exe -- (CqMgHost [Auto | Running])
SRV - [2008/01/11 20:12:14 | 00,004,608 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CpqMgmt\cqmgserv\cqmgserv.exe -- (CqMgServ [Auto | Running])
SRV - [2008/03/07 15:53:02 | 00,019,456 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\CpqMgmt\cqmgstor\cqmgstor.exe -- (CqMgStor [Auto | Running])
SRV - [2007/02/17 03:50:02 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Dfssvc.exe -- (Dfs [Disabled | Stopped])
SRV - [2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2007/02/17 04:45:44 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/11/09 23:01:48 | 00,019,456 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HPWBEM\Storage\Service\HPWMISTOR.exe -- (HPWMISTOR [Auto | Running])
SRV - [2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2007/02/17 04:20:52 | 00,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ismserv.exe -- (IsmServ [Disabled | Stopped])
SRV - [2007/02/18 01:30:26 | 00,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\llssrv.exe -- (LicenseService [Disabled | Stopped])
SRV - [2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/02/17 04:41:50 | 00,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntfrs.exe -- (NtFrs [Disabled | Stopped])
SRV - [2008/01/28 15:45:04 | 00,788,408 | ---- | M] (Hewlett-Packard) -- C:\Program Files\OmniBack\bin\omniinet.exe -- (omniInet [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/05/11 19:15:50 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\hpzipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2007/02/17 04:55:56 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\RSoPProv.exe -- (RSoPProv [On_Demand | Stopped])
SRV - [2006/03/22 13:00:00 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\sacsvr.dll -- (sacsvr [On_Demand | Running])
SRV - [2007/02/17 05:00:02 | 00,040,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe -- (SNMP [Auto | Running])
SRV - [2006/11/11 05:34:44 | 00,009,216 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\System32\sysdown.exe -- (sysdown [Auto | Running])
SRV - [2007/11/28 23:17:08 | 01,417,282 | ---- | M] (Hewlett-Packard Company) -- C:\hp\hpsmh\bin\smhstart.exe -- (SysMgmtHp [Auto | Running])
SRV - [2006/03/22 13:00:00 | 00,050,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\trksvr.dll -- (TrkSvr [Disabled | Stopped])
SRV - [2007/02/17 05:07:00 | 00,071,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tssdis.exe -- (Tssdis [Disabled | Stopped])
SRV - [2007/02/17 05:08:32 | 00,039,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
SRV - [2008/06/30 16:36:35 | 03,093,872 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2009/02/04 17:34:12 | 01,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService [Auto | Running])
SRV - [2009/02/04 17:34:12 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
SRV - [2009/02/04 17:34:12 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - [2009/02/04 17:34:12 | 00,320,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC [On_Demand | Stopped])
SRV - [2009/02/04 17:34:12 | 02,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/08/12 09:58:18 | 00,002,401 | ---- | M] () -- C:\WINDOWS\System32\Drivers\AlKernel.sys -- (AlKernel [On_Demand | Running])
DRV - [2004/03/22 19:22:20 | 00,349,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mpad.sys -- (ati2mpad [On_Demand | Running])
DRV - [2007/02/17 03:31:14 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\ClusDisk.sys -- (ClusDisk [Disabled | Stopped])
DRV - [2006/11/11 05:34:44 | 00,268,288 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\System32\DRIVERS\cpqasm2.sys -- (cpqasm2 [On_Demand | Running])
DRV - [2007/08/02 23:41:08 | 00,042,536 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\DRIVERS\cpqcidrv.sys -- (CpqCiDrv [On_Demand | Running])
DRV - [2008/01/22 13:56:36 | 00,064,000 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\DRIVERS\CPQCISSE.sys -- (CPQCISSE [On_Demand | Running])
DRV - [2007/09/21 19:27:42 | 00,025,640 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm [Boot | Running])
DRV - [2008/01/30 11:01:46 | 00,217,600 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\DRIVERS\cpqteam.sys -- (CPQTeam [On_Demand | Stopped])
DRV - [2008/01/30 11:01:46 | 00,217,600 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\DRIVERS\cpqteam.sys -- (CPQTeamMP [On_Demand | Running])
DRV - [2007/02/17 03:49:38 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver [Boot | Running])
DRV - [2007/02/07 18:00:00 | 00,003,712 | ---- | M] (DameWare Development, LLC) -- C:\WINDOWS\System32\DRIVERS\DamewareMini.sys -- (DwMirror [On_Demand | Running])
DRV - [2007/02/15 18:00:00 | 00,026,624 | ---- | M] (DameWare) -- C:\WINDOWS\System32\DRIVERS\dwvkbd.sys -- (dwvkbd [System | Running])
DRV - [2009/08/01 09:34:27 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/02/06 20:26:07 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2006/02/09 02:50:00 | 00,020,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CCM\prepdrv.sys -- (prepdrvr [On_Demand | Stopped])
DRV - [2007/02/17 04:54:52 | 00,020,480 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/02/25 05:55:06 | 00,163,328 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\DRIVERS\q57xp32.sys -- (q57w2k [On_Demand | Running])
DRV - [2007/11/14 21:21:06 | 01,142,824 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql2300.sys -- (ql2300 [Boot | Running])
DRV - [2009/07/28 10:53:16 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/07/28 10:53:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
DRV - [2009/07/28 10:53:14 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 10:32:23 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/08/01 09:29:13 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2006/11/11 05:34:44 | 00,005,120 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\System32\DRIVERS\sysmgmt.sys -- (sysmgmt [On_Demand | Running])
DRV - [2007/02/17 05:09:26 | 00,169,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\wlbs.sys -- (WLBS [On_Demand | Stopped])
DRV - [2009/02/04 17:34:11 | 00,420,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
DRV - [2009/02/04 17:34:12 | 00,043,824 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2009/02/04 17:34:12 | 00,319,664 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPL.SYS -- (SRTSPL [On_Demand | Stopped])
DRV - [2009/02/04 17:34:12 | 00,279,600 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2009/08/01 09:34:27 | 00,875,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090811.050\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2009/08/01 09:34:27 | 00,087,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090811.050\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/02/04 17:34:12 | 00,038,056 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\WGX.SYS -- (WGX [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
<local>




O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (MS extension) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - File not found
O4 - HKLM..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\Atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [CA-AMAgent] c:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe (Computer Associates International, Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [CPQTEAM] C:\Program Files\HP\NCU\cpqteam.exe (Hewlett-Packard Company)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1250068689086 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1213086137323 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} http://10.21.1.65:7777/forms/jinitiator/jinit.exe (JInitiator 1.3.1.26)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\hpapp {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\bin\hpapp.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\hpapp\Apps - No CLSID value found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP\FrontEnd\SapGui\SAPHTMLP.DLL (SAP AG, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP\FrontEnd\SapGui\SAPHTMLP.DLL (SAP AG, Walldorf)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - Unable to read "AutoRun" value or value not present!
O32 - AutoRun File - [2008/05/28 18:14:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##wpkb0203#hisstore\Shell - "" = AutoRun
O33 - MountPoints2\##wpkb0203#hisstore\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##wpkb0203#hisstore\Shell\AutoRun\command - "" = G:\RECYCLER\recycld.exe -- File not found
O33 - MountPoints2\##wpkb0203#hisstore\Shell\open\command - "" = G:\RECYCLER\recycld.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (msln) - C:\WINDOWS\System32\msln.exe (Symantec Corporation)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/12 10:18:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/08/11 16:59:47 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2009/08/11 16:59:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/08/06 12:42:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\Macromedia
[2009/08/05 12:18:13 | 00,014,439 | ---- | C] () -- C:\all_boot.exe
[2009/08/01 09:38:51 | 00,038,056 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS
[2009/08/01 09:28:54 | 00,123,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/08/01 09:28:54 | 00,060,800 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/08/01 09:28:54 | 00,010,563 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/08/01 09:28:54 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/08/01 09:25:42 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/07/29 01:38:29 | 00,046,640 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\msln.exe
[2009/07/29 01:36:34 | 00,059,392 | ---- | C] () -- C:\WINDOWS\System32\inform.dat
[2009/07/29 01:36:34 | 00,013,733 | ---- | C] () -- C:\WINDOWS\System32\pmx
[2009/07/29 01:32:41 | 00,005,648 | ---- | C] () -- C:\MGlogs.zip
[2009/07/29 01:31:49 | 00,000,000 | ---D | C] -- C:\MGTools
[2009/07/29 01:29:19 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/07/29 01:13:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\Malwarebytes
[2009/07/29 01:13:35 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/29 01:13:33 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/29 01:13:31 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/29 01:13:31 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/29 01:13:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/29 00:36:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/07/29 00:36:19 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/07/29 00:36:18 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/07/29 00:36:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\SUPERAntiSpyware.com
[2009/07/29 00:35:08 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/07/29 00:29:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/07/29 00:22:00 | 00,003,325 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2009/07/28 22:48:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Desktop\trojan fight
[2009/07/28 22:47:06 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\Administrator.WinServ2k3Box\Desktop\HijackThis.lnk
[2009/07/28 22:47:06 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/07/28 22:32:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Local Settings\Application Data\Symantec_Corporation
[2009/07/28 22:32:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\Symantec
[2009/07/28 22:26:30 | 01,406,844 | -H-- | C] () -- C:\Documents and Settings\Administrator.WinServ2k3Box\Local Settings\Application Data\IconCache.db
[2009/07/28 22:25:58 | 01,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MFC71.DLL
[2009/07/28 22:25:58 | 00,503,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSVCP71.DLL
[2009/07/28 22:25:58 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSVCR71.DLL
[2009/07/28 22:09:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Local Settings\Application Data\Symantec
[2009/07/28 22:09:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Local Settings\Application Data\Microsoft
[2009/07/28 22:09:42 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\Microsoft
[2009/07/28 22:09:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\InstallShield
[2009/07/28 22:09:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\Identities
[2009/07/28 22:09:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\Help
[2009/07/28 22:09:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.WinServ2k3Box\Application Data\Adobe
[2009/06/10 12:27:53 | 00,000,923 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2008/11/10 16:41:01 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\Qaproea.dll
[2008/11/10 16:41:01 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\qarapea.dll
[2008/10/28 15:33:53 | 00,036,962 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2008/06/03 11:50:13 | 00,000,963 | ---- | C] () -- C:\WINDOWS\saplogon.ini
[2008/06/03 11:50:13 | 00,000,040 | ---- | C] () -- C:\WINDOWS\Sapmsg.ini
[2008/05/29 13:30:00 | 00,002,755 | ---- | C] () -- C:\WINDOWS\STWYSCLR.INI
[2008/05/29 13:30:00 | 00,000,186 | ---- | C] () -- C:\WINDOWS\STLAT.INI
[2008/05/29 13:29:59 | 00,009,780 | ---- | C] () -- C:\WINDOWS\ST420CLR.INI
[2008/05/29 13:29:59 | 00,000,204 | ---- | C] () -- C:\WINDOWS\ACROREAD.INI
[2008/05/29 13:08:38 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/29 13:05:17 | 01,064,960 | ---- | C] () -- C:\WINDOWS\System32\h5krnl32.dll
[2008/05/29 13:05:17 | 00,188,928 | ---- | C] () -- C:\WINDOWS\System32\h5icon32.dll
[2008/05/29 13:05:17 | 00,175,616 | ---- | C] () -- C:\WINDOWS\System32\h5menu32.dll
[2008/05/29 13:05:17 | 00,095,744 | ---- | C] () -- C:\WINDOWS\System32\h5rtf32.dll
[2008/05/29 13:05:17 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\h5tool32.dll
[2008/05/29 13:05:14 | 00,015,872 | ---- | C] () -- C:\WINDOWS\System32\vtssm32.dll
[2008/05/29 12:32:18 | 00,000,467 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2008/05/28 18:35:51 | 00,008,665 | ---- | C] () -- C:\WINDOWS\dynamic.ini
[2008/05/28 18:35:51 | 00,002,401 | ---- | C] () -- C:\WINDOWS\System32\drivers\AlKernel.sys
[2008/05/28 18:26:27 | 00,066,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinrvxx.sys
[2008/05/28 18:26:27 | 00,060,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinbtxx.sys
[2008/05/28 18:26:27 | 00,036,912 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atintuxx.sys
[2008/05/28 18:26:27 | 00,033,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinraxx.sys
[2008/05/28 18:26:27 | 00,032,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinxsxx.sys
[2008/05/28 18:26:27 | 00,030,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinxbxx.sys
[2008/05/28 18:26:27 | 00,026,720 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinsnxx.sys
[2008/05/28 18:26:27 | 00,021,152 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinttxx.sys
[2008/05/28 18:26:27 | 00,011,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinpdxx.sys
[2008/05/28 18:26:27 | 00,011,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\Atinmdxx.sys
[2008/05/28 10:19:18 | 00,000,573 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/05/28 10:19:10 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/05/28 10:19:00 | 00,179,440 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2008/05/28 10:18:52 | 00,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2008/05/28 10:18:52 | 00,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2008/05/28 10:18:50 | 00,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2008/05/28 10:18:36 | 00,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2008/05/28 10:18:34 | 00,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2008/03/07 15:53:02 | 00,029,696 | ---- | C] () -- C:\WINDOWS\System32\cqstrutl.dll
[2008/02/04 18:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/07/01 18:50:16 | 00,064,976 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/01/30 17:40:12 | 00,000,048 | ---- | C] () -- C:\WINDOWS\zap.ini
[1998/05/25 12:38:14 | 00,027,136 | R--- | C] () -- C:\WINDOWS\System32\libarm32.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/08/12 12:28:01 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Outlook.lnk
[2009/08/12 09:58:18 | 00,002,401 | ---- | M] () -- C:\WINDOWS\System32\drivers\AlKernel.sys
[2009/08/11 19:45:54 | 00,059,392 | ---- | M] () -- C:\WINDOWS\System32\inform.dat
[2009/08/11 19:45:54 | 00,013,733 | ---- | M] () -- C:\WINDOWS\System32\pmx
[2009/08/06 16:47:38 | 01,406,844 | -H-- | M] () -- C:\Documents and Settings\Administrator.WinServ2k3Box\Local Settings\Application Data\IconCache.db
[2009/08/05 17:51:47 | 00,009,649 | ---- | M] () -- C:\WINDOWS\System32\MyModRoot.xml
[2009/08/05 12:17:04 | 00,014,439 | ---- | M] () -- C:\all_boot.exe
[2009/08/01 09:29:13 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/08/01 09:29:13 | 00,060,800 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/08/01 09:29:13 | 00,010,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/08/01 09:29:13 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/07/29 01:38:29 | 00,046,640 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\msln.exe
[2009/07/29 01:32:43 | 00,005,648 | ---- | M] () -- C:\MGlogs.zip
[2009/07/29 01:32:42 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/29 01:31:52 | 00,518,144 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/07/29 01:28:39 | 00,000,467 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2009/07/29 01:28:30 | 00,004,510 | ---- | M] () -- C:\aclient.cfg
[2009/07/29 01:28:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/29 01:28:17 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/29 01:13:35 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/29 00:36:19 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/07/29 00:22:04 | 00,003,325 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2009/07/28 22:47:07 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\Administrator.WinServ2k3Box\Desktop\HijackThis.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 3072 bytes -> C:\temp:EGS__DS_DIR_HDR
@Alternate Data Stream - 3072 bytes -> C:\Program Files:EGS__DS_DIR_HDR
@Alternate Data Stream - 3072 bytes -> C:\Documents and Settings:EGS__DS_DIR_HDR
@Alternate Data Stream - 3072 bytes -> C:\CLIENTWS:EGS__DS_DIR_HDR
@Alternate Data Stream - 3072 bytes -> C:\CLIENTUS:EGS__DS_DIR_HDR
< End of repor


I hope that will do for the start

HubiK,

I think you already know that your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Scroll down to where it says "JRE 6 Update 15.
• Click the "Download" button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version.

Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.

• Under Temporary Internet Files, click the Settings... button
• click the Delete Files button.
• There are two options in the window to clear the cache - Leave both Checked
  
  Applications and Applets
  Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Settings
• Click OK to leave the Java Control Panel.

Double click on OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.
• Reboot your computer

Please post the OTL log and a new HJT log.



Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

This post has been edited by Tomk: Aug 12 2009, 11:31 AM

TomK,

Thanks for your reply with recommendations. I will follow the steps when possible.

Also I wanted to ask what do you think about those two lines from previous log:

O33 - MountPoints2\##wpkb0203#hisstore\Shell\AutoRun\command - "" = G:\RECYCLER\recycld.exe -- File not found
O33 - MountPoints2\##wpkb0203#hisstore\Shell\open\command - "" = G:\RECYCLER\recycld.exe -- File not found

Do you think this should be deleted?

HubiK,

Files are gone. However, if your G: drive is a flash drive, I'd suggest that you run Flash Disenfector.

Please download Flash Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the
  utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  
• Wait until it has finished scanning and then exit the program.
  
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log