Problem Description:
HI, We are facing a problem in our Server which is running on "Windows Server 2003". From past few days we are facing problem of automatic Data files deletion. The data files get deleted whereas individual folders remain as it is. We had run data recovery softwares to recover files and were able to recover most of the data except a few. Just yesterday we found out that all the secondary partitions were deleted automatically except the primary partition "C". We are unable to detect any virus after running various anti virus softwares including Malwarebytes, Trojan removar 684, Kaspersky virus removal tool etc. Please help us!!
OTL Logs:
OTL logfile created on: 9/17/2012 3:07:58 PM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = D:\
Windows Server 2003 Enterprise Edition Service Pack 1 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.80 Gb Total Physical Memory | 3.27 Gb Available Physical Memory | 86.08% Memory free
5.64 Gb Paging File | 4.90 Gb Available in Paging File | 86.93% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 82.67 Gb Free Space | 88.75% Space Free | Partition Type: NTFS
Drive D: | 3.76 Gb Total Space | 3.75 Gb Free Space | 99.97% Space Free | Partition Type: FAT32
Drive J: | 372.60 Gb Total Space | 166.87 Gb Free Space | 44.78% Space Free | Partition Type: NTFS
Computer Name: OFFICE-SERVER3 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/09/17 14:58:08 | 000,596,480 | ---- | M] (OldTimer Tools) -- D:\OTL.EXE
PRC - [2012/08/03 00:45:12 | 021,423,760 | ---- | M] (R-Tools Technology Inc.) -- C:\Program Files\R-Studio\RStudio32.exe
PRC - [2012/05/29 20:08:48 | 000,172,032 | ---- | M] (CompSoft) -- C:\Program Files\DoroPDFWriter\DoroServer.exe
PRC - [2012/05/03 23:37:40 | 000,217,256 | ---- | M] (Visicom Media Inc. (Powered by Panda Security)) -- C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
PRC - [2009/08/13 05:04:28 | 000,435,496 | ---- | M] (Pervasive Software Inc.) -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
PRC - [2008/05/08 04:59:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe
PRC - [2006/09/01 10:00:00 | 000,122,880 | ---- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2006/03/22 17:30:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/22 17:30:00 | 000,848,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2006/03/22 17:30:00 | 000,349,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/03/22 17:30:00 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
========== Modules (No Company Name) ==========
MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2006/03/22 17:30:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2009/08/13 05:04:28 | 000,435,496 | ---- | M] (Pervasive Software Inc.) [Auto | Running] -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe -- (psqlWGE)
SRV - [2008/05/08 04:59:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)
SRV - [2006/03/22 17:30:00 | 000,791,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2006/03/22 17:30:00 | 000,349,184 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2006/03/22 17:30:00 | 000,164,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2006/03/22 17:30:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2006/03/22 17:30:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2006/03/22 17:30:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2006/03/22 17:30:00 | 000,062,976 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\xhxde.dll -- (zmtqtg)
SRV - [2006/03/22 17:30:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2006/03/22 17:30:00 | 000,036,352 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2006/03/22 17:30:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [1998/06/06 00:00:00 | 000,034,036 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE -- (Visual Studio Analyzer RPC bridge)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/13 11:21:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\15500247.sys -- (15500247)
DRV - [2012/09/11 12:36:22 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/04/05 22:05:56 | 000,168,616 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress)
DRV - [2008/03/17 22:15:52 | 000,019,584 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\Ckldrv.sys -- (NetworkX)
DRV - [2006/03/22 17:30:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2006/03/22 17:30:00 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2006/03/22 17:30:00 | 000,068,608 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ClusDisk.sys -- (ClusDisk)
DRV - [2006/03/22 17:30:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=141BEA48B854119F7422315051AB0A3F&tbp=homepage
IE - HKCU\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=141BEA48B854119F7422315051AB0A3F&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
O1 HOSTS File: ([2006/03/22 17:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll ()
O3 - HKLM\..\Toolbar: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll ()
O4 - HKLM..\Run: [Anti-phishing Domain Advisor] C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe (Visicom Media Inc. (Powered by Panda Security))
O4 - HKLM..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe (Corel Corporation)
O4 - HKLM..\Run: [DoroServer] C:\Program Files\DoroPDFWriter\DoroServer.exe (CompSoft)
O4 - HKLM..\Run: [PeachtreePrefetcher.exe] C:\Program Files\Sage\Peachtree\PeachtreePrefetcher.exe (Sage Software, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{917C52AC-BAF5-4402-95CB-91721A826787}: NameServer = 192.51.11.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/04/17 20:17:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/01/09 16:19:56 | 000,000,060 | ---- | M] () - C:\autoshutdown.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: wd.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4CF07653-FE0F-11D4-A548-0090278A1BB8} - .NET Framework
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
ActiveX: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} - Help and Support Center
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} -
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - C:\WINDOWS\System32\ias.dll (Microsoft Corporation)
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: zmtqtg - C:\WINDOWS\system32\xhxde.dll ()
CREATERESTOREPOINT
System Restore Service not available.
========== Files/Folders - Created Within 30 Days ==========
[2012/09/17 12:52:21 | 000,000,000 | ---D | C] -- C:\OP1
[2012/09/17 11:26:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Operator1
[2012/09/17 11:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Operator1
[2012/09/15 14:16:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\R-TT
[2012/09/15 14:16:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\R-TT
[2012/09/15 14:16:16 | 000,000,000 | ---D | C] -- C:\Program Files\R-Studio
[2012/09/15 14:16:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\R-Studio
[2012/09/15 11:38:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Simply Super Software
[2012/09/15 11:35:53 | 000,133,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\15500247.sys
[2012/09/13 16:43:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2012/09/13 15:58:41 | 000,000,000 | ---D | C] -- C:\Program Files\AAPTrojan Removal Tool
[2012/09/13 15:14:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\blekko toolbars
[2012/09/13 15:14:41 | 000,000,000 | ---D | C] -- C:\Program Files\blekkotb_031
[2012/09/13 15:14:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\blekkotb_031
[2012/09/13 15:14:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\blekkotb_031
[2012/09/13 15:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
[2012/09/13 15:13:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Downloads
[2012/09/13 15:13:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2012/09/13 15:13:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2012/09/13 15:13:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools
[2012/09/13 12:44:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/09/13 12:40:48 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2012/09/13 12:40:28 | 013,414,352 | ---- | C] (Simply Super Software ) -- C:\Documents and Settings\Administrator\Desktop\trjsetup684.exe
[2012/09/11 12:35:34 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/11 11:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder
[2012/09/10 15:20:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2012/09/10 15:19:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/09/10 15:18:41 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
[2012/09/10 14:53:34 | 001,629,088 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Administrator\Desktop\rkill.exe
[2012/09/04 17:59:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/08/18 15:31:09 | 000,000,000 | ---D | C] -- C:\Log
[2012/08/18 15:30:22 | 000,165,888 | ---- | C] (Kenonic Controls) -- C:\WINDOWS\Ckconfig.exe
[2012/08/18 15:30:22 | 000,122,880 | ---- | C] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\System32\Crypserv.exe
[2012/08/18 15:30:19 | 001,207,808 | ---- | C] (Dmitry Streblechenko) -- C:\WINDOWS\System32\PhoenixDll.dll
[2012/08/18 15:30:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Stellar Phoenix Windows Data Recovery
[2012/08/18 15:30:18 | 000,000,000 | ---D | C] -- C:\Program Files\Stellar Phoenix Windows Data Recovery
[2012/08/18 15:29:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Stellar Phoenix Windows Data Recovery
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/09/17 14:42:51 | 000,002,387 | ---- | M] () -- C:\WINDOWS\System32\RPCS.ini
[2012/09/17 14:42:35 | 000,000,078 | ---- | M] () -- C:\WINDOWS\ricdb.ini
[2012/09/17 11:00:00 | 000,000,218 | ---- | M] () -- C:\WINDOWS\tasks\autoshutdown.job
[2012/09/17 10:00:19 | 000,437,100 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/17 10:00:19 | 000,067,452 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/17 09:56:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/16 20:31:28 | 000,000,068 | ---- | M] () -- C:\WINDOWS\spwdr.INI
[2012/09/16 19:25:45 | 000,015,565 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 25 44 PM.IMG
[2012/09/16 19:25:02 | 000,015,565 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM.IMG
[2012/09/16 19:25:02 | 000,008,089 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM Drives.IMG
[2012/09/16 11:31:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/15 18:07:40 | 000,053,696 | ---- | M] () -- C:\WINDOWS\System32\C
[2012/09/15 10:10:58 | 005,341,184 | ---- | M] () -- C:\ISO.mdb
[2012/09/13 16:16:41 | 000,000,388 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Guest.lnk
[2012/09/13 16:15:55 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Govt Gazattes and Circulars.mdb.lnk
[2012/09/13 12:25:29 | 013,414,352 | ---- | M] (Simply Super Software ) -- C:\Documents and Settings\Administrator\Desktop\trjsetup684.exe
[2012/09/13 12:22:10 | 005,151,560 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rmslt(1).exe
[2012/09/13 11:21:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\15500247.sys
[2012/09/12 09:10:55 | 000,313,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/09/11 12:36:22 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/11 12:35:25 | 000,711,240 | ---- | M] () -- C:\WINDOWS\is-IIG1M.exe
[2012/09/11 12:35:25 | 000,010,550 | ---- | M] () -- C:\WINDOWS\is-IIG1M.msg
[2012/09/11 12:35:25 | 000,000,418 | ---- | M] () -- C:\WINDOWS\is-IIG1M.lst
[2012/09/10 15:13:45 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
[2012/09/10 14:29:31 | 001,629,088 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Administrator\Desktop\rkill.exe
[2012/09/04 17:59:29 | 000,001,523 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Backup.lnk
[2012/08/18 15:30:25 | 000,000,071 | ---- | M] () -- C:\WINDOWS\Crypkey.ini
[2012/08/18 15:30:19 | 000,000,875 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Stellar Phoenix Windows Data Recovery.lnk
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/09/16 19:25:45 | 000,015,565 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 25 44 PM.IMG
[2012/09/16 19:25:02 | 000,015,565 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM.IMG
[2012/09/16 19:25:02 | 000,008,089 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM Drives.IMG
[2012/09/13 16:16:41 | 000,000,388 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Guest.lnk
[2012/09/13 16:15:55 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Govt Gazattes and Circulars.mdb.lnk
[2012/09/13 14:10:16 | 005,151,560 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rmslt(1).exe
[2012/09/12 14:16:50 | 000,053,696 | ---- | C] () -- C:\WINDOWS\System32\C
[2012/09/11 12:35:25 | 000,711,240 | ---- | C] () -- C:\WINDOWS\is-IIG1M.exe
[2012/09/11 12:35:25 | 000,010,550 | ---- | C] () -- C:\WINDOWS\is-IIG1M.msg
[2012/09/11 12:35:25 | 000,000,418 | ---- | C] () -- C:\WINDOWS\is-IIG1M.lst
[2012/09/04 17:59:27 | 000,001,523 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Backup.lnk
[2012/08/18 15:31:09 | 000,000,068 | ---- | C] () -- C:\WINDOWS\spwdr.INI
[2012/08/18 15:30:25 | 000,000,071 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2012/08/18 15:30:22 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
[2012/08/18 15:30:22 | 000,019,584 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2012/08/18 15:30:22 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2012/08/18 15:30:22 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
[2012/08/18 15:30:19 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\StellarProfile.dll
[2012/08/18 15:30:19 | 000,000,875 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Stellar Phoenix Windows Data Recovery.lnk
[2012/08/08 14:00:59 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2012/08/08 12:05:02 | 000,000,434 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/07/27 12:00:43 | 000,000,078 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2012/07/27 12:00:41 | 000,002,387 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2012/07/27 11:49:54 | 000,042,483 | ---- | C] () -- C:\WINDOWS\Icccodes.dat
[2012/07/27 11:49:54 | 000,039,095 | ---- | C] () -- C:\WINDOWS\Iccsigs.dat
[2012/07/27 11:49:54 | 000,000,156 | ---- | C] () -- C:\WINDOWS\Kpcms.ini
[2012/07/27 11:49:53 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2012/07/27 11:01:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/04/17 23:30:39 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/04/17 23:29:38 | 000,313,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/04/17 20:31:44 | 000,004,096 | R--- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2012/04/17 20:31:44 | 000,000,151 | R--- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2012/04/17 20:31:41 | 000,870,560 | R--- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2012/04/17 20:31:41 | 000,127,868 | R--- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2012/04/17 20:29:57 | 000,061,080 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/04/17 20:20:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/04/17 20:15:01 | 000,021,160 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
========== Custom Scans ==========
< %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5 >
< %AppData%\Local\ >
< %systemroot%\system32\sysprep >
< *.xpi /md5 >
< %systemroot%\Downloaded Program Files\ >
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2006/03/22 17:30:00 | 000,094,208 | ---- | M] (Microsoft Corporation)
< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2006/03/22 17:30:00 | 000,094,208 | ---- | M] (Microsoft Corporation)
< %systemroot%\system32\drivers\*.sys /lockedfiles >
< %systemroot%\system32\drivers\*.sys /90 >
[2012/09/13 11:21:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\WINDOWS\system32\drivers\15500247.sys
[2012/09/11 12:36:22 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
< %systemroot%\System32\config\*.sav >
[2012/04/17 23:28:49 | 000,090,112 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2012/04/17 23:28:49 | 000,741,376 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2012/04/17 23:28:49 | 000,491,520 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
< %SYSTEMDRIVE%\*.exe /md5 >
< "%WinDir%\$NtUninstallKB*$." /30 >
< %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >
< %systemroot%\*. /mp /s >
< %systemroot%\*. /rp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[2006/03/22 17:30:00 | 000,062,976 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\xhxde.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\Installer\ /s >
< %systemroot%\system32\Cache\ /s >
< %systemroot%\system32\config\systemprofile\ /s >
< %PROGRAMFILES%\*. >
[2012/09/13 16:04:39 | 000,000,000 | ---D | M] -- C:\Program Files\AAPTrojan Removal Tool
[2012/07/27 11:53:27 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2012/09/13 15:14:44 | 000,000,000 | ---D | M] -- C:\Program Files\blekkotb_031
[2012/07/27 15:14:43 | 000,000,000 | ---D | M] -- C:\Program Files\Business Objects
[2012/08/08 14:03:59 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2012/08/08 14:05:23 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2012/07/27 11:51:41 | 000,000,000 | ---D | M] -- C:\Program Files\Corel
[2012/08/10 17:18:42 | 000,000,000 | ---D | M] -- C:\Program Files\DoroPDFWriter
[2012/07/27 11:51:59 | 000,000,000 | ---D | M] -- C:\Program Files\InstallShield Installation Information
[2012/04/17 20:26:04 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2012/04/17 20:16:12 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2012/07/27 11:01:18 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2012/07/27 11:00:55 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2012/08/08 14:03:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2012/07/27 11:00:13 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2012/04/17 20:29:47 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2012/04/17 20:22:51 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2012/04/17 20:28:26 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2012/04/17 20:15:51 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2012/04/17 20:16:15 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2012/07/27 15:13:13 | 000,000,000 | ---D | M] -- C:\Program Files\Pervasive Software
[2012/09/15 14:16:16 | 000,000,000 | ---D | M] -- C:\Program Files\R-Studio
[2012/04/17 20:29:43 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2012/07/27 15:14:11 | 000,000,000 | ---D | M] -- C:\Program Files\Sage
[2012/08/18 15:30:54 | 000,000,000 | ---D | M] -- C:\Program Files\Stellar Phoenix Windows Data Recovery
[2012/09/16 11:30:53 | 000,000,000 | ---D | M] -- C:\Program Files\Trojan Remover
[2012/08/08 14:03:55 | 000,000,000 | ---D | M] -- C:\Program Files\Web Publish
[2012/04/17 20:17:48 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2012/04/17 20:13:56 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2012/04/17 20:16:56 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2012/07/27 11:56:32 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2012/07/27 11:57:22 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
< %appdata%\*.* >
[2012/04/17 23:30:03 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
< MD5 for: AFD.SYS >
[2006/03/22 17:30:00 | 000,150,528 | ---- | M] (Microsoft Corporation) MD5=755EA870CB8D6E4AEE8D39B2F4AFDF94 -- C:\WINDOWS\system32\dllcache\afd.sys
[2006/03/22 17:30:00 | 000,150,528 | ---- | M] (Microsoft Corporation) MD5=755EA870CB8D6E4AEE8D39B2F4AFDF94 -- C:\WINDOWS\system32\drivers\afd.sys
< MD5 for: ATAPI.SYS >
[2006/03/22 17:30:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005/03/24 17:55:32 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\dllcache\atapi.sys
[2005/03/24 17:55:32 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/03/22 17:30:00 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
< MD5 for: CRYPTSVC.DLL >
[2006/03/22 17:30:00 | 000,056,832 | ---- | M] (Microsoft Corporation) MD5=1FA95C1BE76C912BE9E5AA1B50A4B21E -- C:\WINDOWS\system32\cryptsvc.dll
[2006/03/22 17:30:00 | 000,056,832 | ---- | M] (Microsoft Corporation) MD5=1FA95C1BE76C912BE9E5AA1B50A4B21E -- C:\WINDOWS\system32\dllcache\cryptsvc.dll
< MD5 for: DNSRSLVR.DLL >
[2006/03/22 17:30:00 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=77FF6DD933437F49B8B95627102DE5D3 -- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
[2006/03/22 17:30:00 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=77FF6DD933437F49B8B95627102DE5D3 -- C:\WINDOWS\system32\dnsrslvr.dll
< MD5 for: ES.DLL >
[2006/03/22 17:30:00 | 000,238,592 | ---- | M] (Microsoft Corporation) MD5=D52D5F2BAD0978E45809F3F6F570E38D -- C:\WINDOWS\system32\dllcache\es.dll
[2006/03/22 17:30:00 | 000,238,592 | ---- | M] (Microsoft Corporation) MD5=D52D5F2BAD0978E45809F3F6F570E38D -- C:\WINDOWS\system32\es.dll
< MD5 for: EXPLORER.EXE >
[2006/03/22 17:30:00 | 001,050,624 | ---- | M] (Microsoft Corporation) MD5=4B93BB34AF478A0FD9765D9B73356DC9 -- C:\WINDOWS\explorer.exe
[2006/03/22 17:30:00 | 001,050,624 | ---- | M] (Microsoft Corporation) MD5=4B93BB34AF478A0FD9765D9B73356DC9 -- C:\WINDOWS\system32\dllcache\explorer.exe
< MD5 for: IPNATHLP.DLL >
[2006/03/22 17:30:00 | 000,339,968 | ---- | M] (Microsoft Corporation) MD5=00B791334BE2508AAF7E1D29100B3CE2 -- C:\WINDOWS\system32\dllcache\ipnathlp.dll
[2006/03/22 17:30:00 | 000,339,968 | ---- | M] (Microsoft Corporation) MD5=00B791334BE2508AAF7E1D29100B3CE2 -- C:\WINDOWS\system32\ipnathlp.dll
< MD5 for: IPSEC.SYS >
[2006/03/22 17:30:00 | 000,081,920 | ---- | M] (Microsoft Corporation) MD5=FD60EF15DC509A4C8CEB9D12B078C6C9 -- C:\WINDOWS\system32\dllcache\ipsec.sys
[2006/03/22 17:30:00 | 000,081,920 | ---- | M] (Microsoft Corporation) MD5=FD60EF15DC509A4C8CEB9D12B078C6C9 -- C:\WINDOWS\system32\drivers\ipsec.sys
< MD5 for: NETBT.SYS >
[2006/03/22 17:30:00 | 000,180,736 | ---- | M] (Microsoft Corporation) MD5=1576E5A77964E2DABFF03EB8AE28F44F -- C:\WINDOWS\system32\dllcache\netbt.sys
[2006/03/22 17:30:00 | 000,180,736 | ---- | M] (Microsoft Corporation) MD5=1576E5A77964E2DABFF03EB8AE28F44F -- C:\WINDOWS\system32\drivers\netbt.sys
< MD5 for: NETMAN.DLL >
[2006/03/22 17:30:00 | 000,264,704 | ---- | M] (Microsoft Corporation) MD5=99A40F8634D4A2B3B63BACD50A8AAD89 -- C:\WINDOWS\system32\dllcache\netman.dll
[2006/03/22 17:30:00 | 000,264,704 | ---- | M] (Microsoft Corporation) MD5=99A40F8634D4A2B3B63BACD50A8AAD89 -- C:\WINDOWS\system32\netman.dll
< MD5 for: QMGR.DLL >
[2006/03/22 17:30:00 | 000,380,928 | ---- | M] (Microsoft Corporation) MD5=28E8158B16DE930F346EF874C8C29492 -- C:\WINDOWS\system32\dllcache\qmgr.dll
[2006/03/22 17:30:00 | 000,380,928 | ---- | M] (Microsoft Corporation) MD5=28E8158B16DE930F346EF874C8C29492 -- C:\WINDOWS\system32\qmgr.dll
< MD5 for: RPCSS.DLL >
[2006/03/22 17:30:00 | 000,415,744 | ---- | M] (Microsoft Corporation) MD5=D9948E14F2F89EDBA3E9575FB389ED64 -- C:\WINDOWS\system32\dllcache\rpcss.dll
[2006/03/22 17:30:00 | 000,415,744 | ---- | M] (Microsoft Corporation) MD5=D9948E14F2F89EDBA3E9575FB389ED64 -- C:\WINDOWS\system32\rpcss.dll
< MD5 for: SERVICES.EXE >
[2006/03/22 17:30:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=B6DAA698BD2E07BB636A9383C9CB3A10 -- C:\WINDOWS\system32\dllcache\services.exe
[2006/03/22 17:30:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=B6DAA698BD2E07BB636A9383C9CB3A10 -- C:\WINDOWS\system32\services.exe
< MD5 for: SVCHOST.EXE >
[2006/03/22 17:30:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=CA8E6441930B54A8B8210061CE5FCCE7 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2006/03/22 17:30:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=CA8E6441930B54A8B8210061CE5FCCE7 -- C:\WINDOWS\system32\svchost.exe
< MD5 for: TCPIP.SYS >
[2006/03/22 17:30:00 | 000,333,312 | ---- | M] (Microsoft Corporation) MD5=EC676733442B122F1828FCD03B86C20B -- C:\WINDOWS\system32\dllcache\tcpip.sys
[2006/03/22 17:30:00 | 000,333,312 | ---- | M] (Microsoft Corporation) MD5=EC676733442B122F1828FCD03B86C20B -- C:\WINDOWS\system32\drivers\tcpip.sys
< MD5 for: USERINIT.EXE >
[2006/03/22 17:30:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=29A1877F2D0EACFF20B6507A3C00F31B -- C:\WINDOWS\system32\dllcache\userinit.exe
[2006/03/22 17:30:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=29A1877F2D0EACFF20B6507A3C00F31B -- C:\WINDOWS\system32\userinit.exe
< MD5 for: VOLSNAP.SYS >
[2006/03/22 17:30:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:volsnap.sys
[2006/03/22 17:30:00 | 000,152,576 | ---- | M] (Microsoft Corporation) MD5=364CBB5F273A0355D0A841635D66B764 -- C:\WINDOWS\system32\drivers\volsnap.sys
< MD5 for: WINLOGON.EXE >
[2006/03/22 17:30:00 | 000,508,928 | ---- | M] (Microsoft Corporation) MD5=325FD6D25FC1D77C363E87B445C8B023 -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2006/03/22 17:30:00 | 000,508,928 | ---- | M] (Microsoft Corporation) MD5=325FD6D25FC1D77C363E87B445C8B023 -- C:\WINDOWS\system32\winlogon.exe
< MD5 for: WMISVC.DLL >
[2006/03/22 17:30:00 | 000,143,360 | ---- | M] (Microsoft Corporation) MD5=391265F02FF1AA4A67C09653A450D518 -- C:\WINDOWS\system32\dllcache\wmisvc.dll
[2006/03/22 17:30:00 | 000,143,360 | ---- | M] (Microsoft Corporation) MD5=391265F02FF1AA4A67C09653A450D518 -- C:\WINDOWS\system32\wbem\wmisvc.dll
< MD5 for: WUAUSERV.DLL >
[2006/03/22 17:30:00 | 000,008,192 | ---- | M] (Microsoft Corporation) MD5=69E524D75FDFAF97D19A1CBBAA7FAE53 -- C:\WINDOWS\system32\dllcache\wuauserv.dll
[2006/03/22 17:30:00 | 000,008,192 | ---- | M] (Microsoft Corporation) MD5=69E524D75FDFAF97D19A1CBBAA7FAE53 -- C:\WINDOWS\system32\wuauserv.dll
========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
========== Alternate Data Streams ==========
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47F1DFAC
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >
OTL Extras logfile created on: 9/17/2012 3:07:58 PM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = D:\
Windows Server 2003 Enterprise Edition Service Pack 1 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.80 Gb Total Physical Memory | 3.27 Gb Available Physical Memory | 86.08% Memory free
5.64 Gb Paging File | 4.90 Gb Available in Paging File | 86.93% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 82.67 Gb Free Space | 88.75% Space Free | Partition Type: NTFS
Drive D: | 3.76 Gb Total Space | 3.75 Gb Free Space | 99.97% Space Free | Partition Type: FAT32
Drive J: | 372.60 Gb Total Space | 166.87 Gb Free Space | 44.78% Space Free | Partition Type: NTFS
Computer Name: OFFICE-SERVER3 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1296:TCP" = 1296:TCP:*:Enabled:WWW
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe" = C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe:*:Enabled:Database Service Manager -- (Pervasive Software Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A3238D7-AB32-1010-B717-F3E3F18B4A8C}" = Pervasive PSQL v10.10 Workgroup (32-bit)
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{505AFDC0-5E72-4928-8368-5DEA385E3647}" = CorelDRAW Graphics Suite 12
"{6798DD4E-BD16-4735-87EB-D712637CCB8C}" = Sage Message Center
"{6CD774DA-B798-4D1E-B327-2AA6EA407929}" = Peachtree Accounting 2010
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{8BCB844B-0814-4354-A413-1063DB4618E9}" = PeachTree Signature Ready Forms
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}" = Crystal Reports 2008 Runtime SP1
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"Adobe PageMaker 7.0" = Adobe PageMaker 7.0
"Anti-phishing Domain Advisor" = Anti-phishing Domain Advisor
"blekkotb_031" = blekko search bar
"Doro_is1" = Doro 1.77
"InstallShield_{6CD774DA-B798-4D1E-B327-2AA6EA407929}" = Peachtree Premium Accounting for Manufacturing 2010
"Integration Services" = Sage Integration Services
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"MsJavaVM" = Microsoft VM for Java
"R-Studio 6.1NSIS" = R-Studio 6.1
"Stellar Phoenix Windows Data Recovery_is1" = Stellar Phoenix Windows Data Recovery V4.1
"Visual Studio 6.0 Enterprise Edition" = Microsoft Visual Studio 6.0 Enterprise Edition
"WebPost" = Microsoft Web Publishing Wizard 1.53
"WIC" = Windows Imaging Component
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 9/14/2012 11:48:53 PM | Computer Name = OFFICE-SERVER3 | Source = Userenv | ID = 1502
Description = Windows cannot load the locally stored profile. Possible causes of
this error include insufficient security rights or a corrupt local profile. If
this problem persists, contact your network administrator. DETAIL - The process
cannot access the file because it is being used by another process.
Error - 9/14/2012 11:48:53 PM | Computer Name = OFFICE-SERVER3 | Source = Userenv | ID = 1515
Description = Windows has backed up this user's profile. Windows will automatically
try to use the backed up profile the next time this user logs on.
Error - 9/14/2012 11:48:58 PM | Computer Name = OFFICE-SERVER3 | Source = Userenv | ID = 1511
Description = Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you log off.
Error - 9/15/2012 1:35:29 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8003
Description = End Restore to 'D:' 'Failed' Verify: Off Consult the backup report
for more detail.
Error - 9/15/2012 1:35:29 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.
Error - 9/15/2012 1:39:32 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8003
Description = End Restore to 'D:' 'Failed' Verify: Off Consult the backup report
for more detail.
Error - 9/15/2012 1:39:32 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.
Error - 9/15/2012 2:07:17 AM | Computer Name = OFFICE-SERVER3 | Source = crypt32 | ID = 131075
Description = Failed auto update retrieval of third-party root list cab from:
with error: This operation returned because the timeout period expired.
Error - 9/15/2012 8:21:47 AM | Computer Name = OFFICE-SERVER3 | Source = Application Hang | ID = 1002
Description = Hanging application Pm70.exe, version 0.7.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 9/16/2012 2:41:38 AM | Computer Name = OFFICE-SERVER3 | Source = Application Hang | ID = 1002
Description = Hanging application RStudio32.exe, version 6.1.152.29, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 9/16/2012 8:21:47 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:24:16 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:24:16 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:35:31 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:35:31 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 9:51:31 AM | Computer Name = OFFICE-SERVER3 | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume Q:.
Error - 9/16/2012 10:05:49 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The ttqoy service terminated with the following error: %%2
Error - 9/16/2012 10:05:49 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The zmtqtg service terminated with the following error: %%1114
Error - 9/17/2012 12:27:51 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The ttqoy service terminated with the following error: %%2
Error - 9/17/2012 12:27:51 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The zmtqtg service terminated with the following error: %%1114
< End of report >
# AdwCleaner v2.002 - Logfile created 09/17/2012 at 15:14:54
# Updated 16/09/2012 by Xplode
# Operating system : Microsoft Windows Server 2003 Service Pack 1 (32 bits)
# User : Administrator - OFFICE-SERVER3
# Boot Mode : Normal
# Running from : D:\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Deleted on reboot : C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars
***** [Registry] *****
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]
***** [Internet Browsers] *****
-\\ Internet Explorer v6.0.3790.1830
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-21-247894039-1264540694-3313736524-1027\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=141BEA48B854119F7422315051AB0A3F&tbp=homepage --> hxxp://www.google.com
*************************
AdwCleaner[S2].txt - [1812 octets] - [17/09/2012 15:14:54]
########## EOF - C:\AdwCleaner[S2].txt - [1872 octets] ##########
HI, We are facing a problem in our Server which is running on "Windows Server 2003". From past few days we are facing problem of automatic Data files deletion. The data files get deleted whereas individual folders remain as it is. We had run data recovery softwares to recover files and were able to recover most of the data except a few. Just yesterday we found out that all the secondary partitions were deleted automatically except the primary partition "C". We are unable to detect any virus after running various anti virus softwares including Malwarebytes, Trojan removar 684, Kaspersky virus removal tool etc. Please help us!!
OTL Logs:
OTL logfile created on: 9/17/2012 3:07:58 PM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = D:\
Windows Server 2003 Enterprise Edition Service Pack 1 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.80 Gb Total Physical Memory | 3.27 Gb Available Physical Memory | 86.08% Memory free
5.64 Gb Paging File | 4.90 Gb Available in Paging File | 86.93% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 82.67 Gb Free Space | 88.75% Space Free | Partition Type: NTFS
Drive D: | 3.76 Gb Total Space | 3.75 Gb Free Space | 99.97% Space Free | Partition Type: FAT32
Drive J: | 372.60 Gb Total Space | 166.87 Gb Free Space | 44.78% Space Free | Partition Type: NTFS
Computer Name: OFFICE-SERVER3 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/09/17 14:58:08 | 000,596,480 | ---- | M] (OldTimer Tools) -- D:\OTL.EXE
PRC - [2012/08/03 00:45:12 | 021,423,760 | ---- | M] (R-Tools Technology Inc.) -- C:\Program Files\R-Studio\RStudio32.exe
PRC - [2012/05/29 20:08:48 | 000,172,032 | ---- | M] (CompSoft) -- C:\Program Files\DoroPDFWriter\DoroServer.exe
PRC - [2012/05/03 23:37:40 | 000,217,256 | ---- | M] (Visicom Media Inc. (Powered by Panda Security)) -- C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
PRC - [2009/08/13 05:04:28 | 000,435,496 | ---- | M] (Pervasive Software Inc.) -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
PRC - [2008/05/08 04:59:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe
PRC - [2006/09/01 10:00:00 | 000,122,880 | ---- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2006/03/22 17:30:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/22 17:30:00 | 000,848,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2006/03/22 17:30:00 | 000,349,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/03/22 17:30:00 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
========== Modules (No Company Name) ==========
MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2006/03/22 17:30:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2009/08/13 05:04:28 | 000,435,496 | ---- | M] (Pervasive Software Inc.) [Auto | Running] -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe -- (psqlWGE)
SRV - [2008/05/08 04:59:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)
SRV - [2006/03/22 17:30:00 | 000,791,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2006/03/22 17:30:00 | 000,349,184 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2006/03/22 17:30:00 | 000,164,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2006/03/22 17:30:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2006/03/22 17:30:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2006/03/22 17:30:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2006/03/22 17:30:00 | 000,062,976 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\xhxde.dll -- (zmtqtg)
SRV - [2006/03/22 17:30:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2006/03/22 17:30:00 | 000,036,352 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2006/03/22 17:30:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [1998/06/06 00:00:00 | 000,034,036 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE -- (Visual Studio Analyzer RPC bridge)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/13 11:21:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\15500247.sys -- (15500247)
DRV - [2012/09/11 12:36:22 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/04/05 22:05:56 | 000,168,616 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress)
DRV - [2008/03/17 22:15:52 | 000,019,584 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\Ckldrv.sys -- (NetworkX)
DRV - [2006/03/22 17:30:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2006/03/22 17:30:00 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2006/03/22 17:30:00 | 000,068,608 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ClusDisk.sys -- (ClusDisk)
DRV - [2006/03/22 17:30:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=141BEA48B854119F7422315051AB0A3F&tbp=homepage
IE - HKCU\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=141BEA48B854119F7422315051AB0A3F&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
O1 HOSTS File: ([2006/03/22 17:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll ()
O3 - HKLM\..\Toolbar: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll ()
O4 - HKLM..\Run: [Anti-phishing Domain Advisor] C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe (Visicom Media Inc. (Powered by Panda Security))
O4 - HKLM..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe (Corel Corporation)
O4 - HKLM..\Run: [DoroServer] C:\Program Files\DoroPDFWriter\DoroServer.exe (CompSoft)
O4 - HKLM..\Run: [PeachtreePrefetcher.exe] C:\Program Files\Sage\Peachtree\PeachtreePrefetcher.exe (Sage Software, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{917C52AC-BAF5-4402-95CB-91721A826787}: NameServer = 192.51.11.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/04/17 20:17:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/01/09 16:19:56 | 000,000,060 | ---- | M] () - C:\autoshutdown.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: wd.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4CF07653-FE0F-11D4-A548-0090278A1BB8} - .NET Framework
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
ActiveX: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} - Help and Support Center
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} -
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - C:\WINDOWS\System32\ias.dll (Microsoft Corporation)
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: zmtqtg - C:\WINDOWS\system32\xhxde.dll ()
CREATERESTOREPOINT
System Restore Service not available.
========== Files/Folders - Created Within 30 Days ==========
[2012/09/17 12:52:21 | 000,000,000 | ---D | C] -- C:\OP1
[2012/09/17 11:26:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Operator1
[2012/09/17 11:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Operator1
[2012/09/15 14:16:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\R-TT
[2012/09/15 14:16:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\R-TT
[2012/09/15 14:16:16 | 000,000,000 | ---D | C] -- C:\Program Files\R-Studio
[2012/09/15 14:16:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\R-Studio
[2012/09/15 11:38:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Simply Super Software
[2012/09/15 11:35:53 | 000,133,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\15500247.sys
[2012/09/13 16:43:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2012/09/13 15:58:41 | 000,000,000 | ---D | C] -- C:\Program Files\AAPTrojan Removal Tool
[2012/09/13 15:14:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\blekko toolbars
[2012/09/13 15:14:41 | 000,000,000 | ---D | C] -- C:\Program Files\blekkotb_031
[2012/09/13 15:14:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\blekkotb_031
[2012/09/13 15:14:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\blekkotb_031
[2012/09/13 15:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
[2012/09/13 15:13:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Downloads
[2012/09/13 15:13:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2012/09/13 15:13:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2012/09/13 15:13:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools
[2012/09/13 12:44:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/09/13 12:40:48 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2012/09/13 12:40:28 | 013,414,352 | ---- | C] (Simply Super Software ) -- C:\Documents and Settings\Administrator\Desktop\trjsetup684.exe
[2012/09/11 12:35:34 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/11 11:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder
[2012/09/10 15:20:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2012/09/10 15:19:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/09/10 15:18:41 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
[2012/09/10 14:53:34 | 001,629,088 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Administrator\Desktop\rkill.exe
[2012/09/04 17:59:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/08/18 15:31:09 | 000,000,000 | ---D | C] -- C:\Log
[2012/08/18 15:30:22 | 000,165,888 | ---- | C] (Kenonic Controls) -- C:\WINDOWS\Ckconfig.exe
[2012/08/18 15:30:22 | 000,122,880 | ---- | C] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\System32\Crypserv.exe
[2012/08/18 15:30:19 | 001,207,808 | ---- | C] (Dmitry Streblechenko) -- C:\WINDOWS\System32\PhoenixDll.dll
[2012/08/18 15:30:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Stellar Phoenix Windows Data Recovery
[2012/08/18 15:30:18 | 000,000,000 | ---D | C] -- C:\Program Files\Stellar Phoenix Windows Data Recovery
[2012/08/18 15:29:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Stellar Phoenix Windows Data Recovery
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/09/17 14:42:51 | 000,002,387 | ---- | M] () -- C:\WINDOWS\System32\RPCS.ini
[2012/09/17 14:42:35 | 000,000,078 | ---- | M] () -- C:\WINDOWS\ricdb.ini
[2012/09/17 11:00:00 | 000,000,218 | ---- | M] () -- C:\WINDOWS\tasks\autoshutdown.job
[2012/09/17 10:00:19 | 000,437,100 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/17 10:00:19 | 000,067,452 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/17 09:56:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/16 20:31:28 | 000,000,068 | ---- | M] () -- C:\WINDOWS\spwdr.INI
[2012/09/16 19:25:45 | 000,015,565 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 25 44 PM.IMG
[2012/09/16 19:25:02 | 000,015,565 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM.IMG
[2012/09/16 19:25:02 | 000,008,089 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM Drives.IMG
[2012/09/16 11:31:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/15 18:07:40 | 000,053,696 | ---- | M] () -- C:\WINDOWS\System32\C
[2012/09/15 10:10:58 | 005,341,184 | ---- | M] () -- C:\ISO.mdb
[2012/09/13 16:16:41 | 000,000,388 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Guest.lnk
[2012/09/13 16:15:55 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Govt Gazattes and Circulars.mdb.lnk
[2012/09/13 12:25:29 | 013,414,352 | ---- | M] (Simply Super Software ) -- C:\Documents and Settings\Administrator\Desktop\trjsetup684.exe
[2012/09/13 12:22:10 | 005,151,560 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rmslt(1).exe
[2012/09/13 11:21:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\15500247.sys
[2012/09/12 09:10:55 | 000,313,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/09/11 12:36:22 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/09/11 12:35:25 | 000,711,240 | ---- | M] () -- C:\WINDOWS\is-IIG1M.exe
[2012/09/11 12:35:25 | 000,010,550 | ---- | M] () -- C:\WINDOWS\is-IIG1M.msg
[2012/09/11 12:35:25 | 000,000,418 | ---- | M] () -- C:\WINDOWS\is-IIG1M.lst
[2012/09/10 15:13:45 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.62.0.1300.exe
[2012/09/10 14:29:31 | 001,629,088 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Administrator\Desktop\rkill.exe
[2012/09/04 17:59:29 | 000,001,523 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Backup.lnk
[2012/08/18 15:30:25 | 000,000,071 | ---- | M] () -- C:\WINDOWS\Crypkey.ini
[2012/08/18 15:30:19 | 000,000,875 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Stellar Phoenix Windows Data Recovery.lnk
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/09/16 19:25:45 | 000,015,565 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 25 44 PM.IMG
[2012/09/16 19:25:02 | 000,015,565 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM.IMG
[2012/09/16 19:25:02 | 000,008,089 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\SPWDR Scan 16-Sep-2012_07 24 59 PM Drives.IMG
[2012/09/13 16:16:41 | 000,000,388 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Guest.lnk
[2012/09/13 16:15:55 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Govt Gazattes and Circulars.mdb.lnk
[2012/09/13 14:10:16 | 005,151,560 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rmslt(1).exe
[2012/09/12 14:16:50 | 000,053,696 | ---- | C] () -- C:\WINDOWS\System32\C
[2012/09/11 12:35:25 | 000,711,240 | ---- | C] () -- C:\WINDOWS\is-IIG1M.exe
[2012/09/11 12:35:25 | 000,010,550 | ---- | C] () -- C:\WINDOWS\is-IIG1M.msg
[2012/09/11 12:35:25 | 000,000,418 | ---- | C] () -- C:\WINDOWS\is-IIG1M.lst
[2012/09/04 17:59:27 | 000,001,523 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Backup.lnk
[2012/08/18 15:31:09 | 000,000,068 | ---- | C] () -- C:\WINDOWS\spwdr.INI
[2012/08/18 15:30:25 | 000,000,071 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2012/08/18 15:30:22 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
[2012/08/18 15:30:22 | 000,019,584 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2012/08/18 15:30:22 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2012/08/18 15:30:22 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
[2012/08/18 15:30:19 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\StellarProfile.dll
[2012/08/18 15:30:19 | 000,000,875 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Stellar Phoenix Windows Data Recovery.lnk
[2012/08/08 14:00:59 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2012/08/08 12:05:02 | 000,000,434 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/07/27 12:00:43 | 000,000,078 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2012/07/27 12:00:41 | 000,002,387 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2012/07/27 11:49:54 | 000,042,483 | ---- | C] () -- C:\WINDOWS\Icccodes.dat
[2012/07/27 11:49:54 | 000,039,095 | ---- | C] () -- C:\WINDOWS\Iccsigs.dat
[2012/07/27 11:49:54 | 000,000,156 | ---- | C] () -- C:\WINDOWS\Kpcms.ini
[2012/07/27 11:49:53 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2012/07/27 11:01:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/04/17 23:30:39 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/04/17 23:29:38 | 000,313,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/04/17 20:31:44 | 000,004,096 | R--- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2012/04/17 20:31:44 | 000,000,151 | R--- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2012/04/17 20:31:41 | 000,870,560 | R--- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2012/04/17 20:31:41 | 000,127,868 | R--- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2012/04/17 20:29:57 | 000,061,080 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/04/17 20:20:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/04/17 20:15:01 | 000,021,160 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
========== Custom Scans ==========
< %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5 >
< %AppData%\Local\ >
< %systemroot%\system32\sysprep >
< *.xpi /md5 >
< %systemroot%\Downloaded Program Files\ >
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2006/03/22 17:30:00 | 000,094,208 | ---- | M] (Microsoft Corporation)
< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2006/03/22 17:30:00 | 000,094,208 | ---- | M] (Microsoft Corporation)
< %systemroot%\system32\drivers\*.sys /lockedfiles >
< %systemroot%\system32\drivers\*.sys /90 >
[2012/09/13 11:21:49 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\WINDOWS\system32\drivers\15500247.sys
[2012/09/11 12:36:22 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
< %systemroot%\System32\config\*.sav >
[2012/04/17 23:28:49 | 000,090,112 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2012/04/17 23:28:49 | 000,741,376 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2012/04/17 23:28:49 | 000,491,520 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
< %SYSTEMDRIVE%\*.exe /md5 >
< "%WinDir%\$NtUninstallKB*$." /30 >
< %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >
< %systemroot%\*. /mp /s >
< %systemroot%\*. /rp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[2006/03/22 17:30:00 | 000,062,976 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\xhxde.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\Installer\ /s >
< %systemroot%\system32\Cache\ /s >
< %systemroot%\system32\config\systemprofile\ /s >
< %PROGRAMFILES%\*. >
[2012/09/13 16:04:39 | 000,000,000 | ---D | M] -- C:\Program Files\AAPTrojan Removal Tool
[2012/07/27 11:53:27 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2012/09/13 15:14:44 | 000,000,000 | ---D | M] -- C:\Program Files\blekkotb_031
[2012/07/27 15:14:43 | 000,000,000 | ---D | M] -- C:\Program Files\Business Objects
[2012/08/08 14:03:59 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2012/08/08 14:05:23 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2012/07/27 11:51:41 | 000,000,000 | ---D | M] -- C:\Program Files\Corel
[2012/08/10 17:18:42 | 000,000,000 | ---D | M] -- C:\Program Files\DoroPDFWriter
[2012/07/27 11:51:59 | 000,000,000 | ---D | M] -- C:\Program Files\InstallShield Installation Information
[2012/04/17 20:26:04 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2012/04/17 20:16:12 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2012/07/27 11:01:18 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2012/07/27 11:00:55 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2012/08/08 14:03:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2012/07/27 11:00:13 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2012/04/17 20:29:47 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2012/04/17 20:22:51 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2012/04/17 20:28:26 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2012/04/17 20:15:51 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2012/04/17 20:16:15 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2012/07/27 15:13:13 | 000,000,000 | ---D | M] -- C:\Program Files\Pervasive Software
[2012/09/15 14:16:16 | 000,000,000 | ---D | M] -- C:\Program Files\R-Studio
[2012/04/17 20:29:43 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2012/07/27 15:14:11 | 000,000,000 | ---D | M] -- C:\Program Files\Sage
[2012/08/18 15:30:54 | 000,000,000 | ---D | M] -- C:\Program Files\Stellar Phoenix Windows Data Recovery
[2012/09/16 11:30:53 | 000,000,000 | ---D | M] -- C:\Program Files\Trojan Remover
[2012/08/08 14:03:55 | 000,000,000 | ---D | M] -- C:\Program Files\Web Publish
[2012/04/17 20:17:48 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2012/04/17 20:13:56 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2012/04/17 20:16:56 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2012/07/27 11:56:32 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2012/07/27 11:57:22 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
< %appdata%\*.* >
[2012/04/17 23:30:03 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
< MD5 for: AFD.SYS >
[2006/03/22 17:30:00 | 000,150,528 | ---- | M] (Microsoft Corporation) MD5=755EA870CB8D6E4AEE8D39B2F4AFDF94 -- C:\WINDOWS\system32\dllcache\afd.sys
[2006/03/22 17:30:00 | 000,150,528 | ---- | M] (Microsoft Corporation) MD5=755EA870CB8D6E4AEE8D39B2F4AFDF94 -- C:\WINDOWS\system32\drivers\afd.sys
< MD5 for: ATAPI.SYS >
[2006/03/22 17:30:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005/03/24 17:55:32 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\dllcache\atapi.sys
[2005/03/24 17:55:32 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/03/22 17:30:00 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
< MD5 for: CRYPTSVC.DLL >
[2006/03/22 17:30:00 | 000,056,832 | ---- | M] (Microsoft Corporation) MD5=1FA95C1BE76C912BE9E5AA1B50A4B21E -- C:\WINDOWS\system32\cryptsvc.dll
[2006/03/22 17:30:00 | 000,056,832 | ---- | M] (Microsoft Corporation) MD5=1FA95C1BE76C912BE9E5AA1B50A4B21E -- C:\WINDOWS\system32\dllcache\cryptsvc.dll
< MD5 for: DNSRSLVR.DLL >
[2006/03/22 17:30:00 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=77FF6DD933437F49B8B95627102DE5D3 -- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
[2006/03/22 17:30:00 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=77FF6DD933437F49B8B95627102DE5D3 -- C:\WINDOWS\system32\dnsrslvr.dll
< MD5 for: ES.DLL >
[2006/03/22 17:30:00 | 000,238,592 | ---- | M] (Microsoft Corporation) MD5=D52D5F2BAD0978E45809F3F6F570E38D -- C:\WINDOWS\system32\dllcache\es.dll
[2006/03/22 17:30:00 | 000,238,592 | ---- | M] (Microsoft Corporation) MD5=D52D5F2BAD0978E45809F3F6F570E38D -- C:\WINDOWS\system32\es.dll
< MD5 for: EXPLORER.EXE >
[2006/03/22 17:30:00 | 001,050,624 | ---- | M] (Microsoft Corporation) MD5=4B93BB34AF478A0FD9765D9B73356DC9 -- C:\WINDOWS\explorer.exe
[2006/03/22 17:30:00 | 001,050,624 | ---- | M] (Microsoft Corporation) MD5=4B93BB34AF478A0FD9765D9B73356DC9 -- C:\WINDOWS\system32\dllcache\explorer.exe
< MD5 for: IPNATHLP.DLL >
[2006/03/22 17:30:00 | 000,339,968 | ---- | M] (Microsoft Corporation) MD5=00B791334BE2508AAF7E1D29100B3CE2 -- C:\WINDOWS\system32\dllcache\ipnathlp.dll
[2006/03/22 17:30:00 | 000,339,968 | ---- | M] (Microsoft Corporation) MD5=00B791334BE2508AAF7E1D29100B3CE2 -- C:\WINDOWS\system32\ipnathlp.dll
< MD5 for: IPSEC.SYS >
[2006/03/22 17:30:00 | 000,081,920 | ---- | M] (Microsoft Corporation) MD5=FD60EF15DC509A4C8CEB9D12B078C6C9 -- C:\WINDOWS\system32\dllcache\ipsec.sys
[2006/03/22 17:30:00 | 000,081,920 | ---- | M] (Microsoft Corporation) MD5=FD60EF15DC509A4C8CEB9D12B078C6C9 -- C:\WINDOWS\system32\drivers\ipsec.sys
< MD5 for: NETBT.SYS >
[2006/03/22 17:30:00 | 000,180,736 | ---- | M] (Microsoft Corporation) MD5=1576E5A77964E2DABFF03EB8AE28F44F -- C:\WINDOWS\system32\dllcache\netbt.sys
[2006/03/22 17:30:00 | 000,180,736 | ---- | M] (Microsoft Corporation) MD5=1576E5A77964E2DABFF03EB8AE28F44F -- C:\WINDOWS\system32\drivers\netbt.sys
< MD5 for: NETMAN.DLL >
[2006/03/22 17:30:00 | 000,264,704 | ---- | M] (Microsoft Corporation) MD5=99A40F8634D4A2B3B63BACD50A8AAD89 -- C:\WINDOWS\system32\dllcache\netman.dll
[2006/03/22 17:30:00 | 000,264,704 | ---- | M] (Microsoft Corporation) MD5=99A40F8634D4A2B3B63BACD50A8AAD89 -- C:\WINDOWS\system32\netman.dll
< MD5 for: QMGR.DLL >
[2006/03/22 17:30:00 | 000,380,928 | ---- | M] (Microsoft Corporation) MD5=28E8158B16DE930F346EF874C8C29492 -- C:\WINDOWS\system32\dllcache\qmgr.dll
[2006/03/22 17:30:00 | 000,380,928 | ---- | M] (Microsoft Corporation) MD5=28E8158B16DE930F346EF874C8C29492 -- C:\WINDOWS\system32\qmgr.dll
< MD5 for: RPCSS.DLL >
[2006/03/22 17:30:00 | 000,415,744 | ---- | M] (Microsoft Corporation) MD5=D9948E14F2F89EDBA3E9575FB389ED64 -- C:\WINDOWS\system32\dllcache\rpcss.dll
[2006/03/22 17:30:00 | 000,415,744 | ---- | M] (Microsoft Corporation) MD5=D9948E14F2F89EDBA3E9575FB389ED64 -- C:\WINDOWS\system32\rpcss.dll
< MD5 for: SERVICES.EXE >
[2006/03/22 17:30:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=B6DAA698BD2E07BB636A9383C9CB3A10 -- C:\WINDOWS\system32\dllcache\services.exe
[2006/03/22 17:30:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=B6DAA698BD2E07BB636A9383C9CB3A10 -- C:\WINDOWS\system32\services.exe
< MD5 for: SVCHOST.EXE >
[2006/03/22 17:30:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=CA8E6441930B54A8B8210061CE5FCCE7 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2006/03/22 17:30:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=CA8E6441930B54A8B8210061CE5FCCE7 -- C:\WINDOWS\system32\svchost.exe
< MD5 for: TCPIP.SYS >
[2006/03/22 17:30:00 | 000,333,312 | ---- | M] (Microsoft Corporation) MD5=EC676733442B122F1828FCD03B86C20B -- C:\WINDOWS\system32\dllcache\tcpip.sys
[2006/03/22 17:30:00 | 000,333,312 | ---- | M] (Microsoft Corporation) MD5=EC676733442B122F1828FCD03B86C20B -- C:\WINDOWS\system32\drivers\tcpip.sys
< MD5 for: USERINIT.EXE >
[2006/03/22 17:30:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=29A1877F2D0EACFF20B6507A3C00F31B -- C:\WINDOWS\system32\dllcache\userinit.exe
[2006/03/22 17:30:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=29A1877F2D0EACFF20B6507A3C00F31B -- C:\WINDOWS\system32\userinit.exe
< MD5 for: VOLSNAP.SYS >
[2006/03/22 17:30:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:volsnap.sys
[2006/03/22 17:30:00 | 000,152,576 | ---- | M] (Microsoft Corporation) MD5=364CBB5F273A0355D0A841635D66B764 -- C:\WINDOWS\system32\drivers\volsnap.sys
< MD5 for: WINLOGON.EXE >
[2006/03/22 17:30:00 | 000,508,928 | ---- | M] (Microsoft Corporation) MD5=325FD6D25FC1D77C363E87B445C8B023 -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2006/03/22 17:30:00 | 000,508,928 | ---- | M] (Microsoft Corporation) MD5=325FD6D25FC1D77C363E87B445C8B023 -- C:\WINDOWS\system32\winlogon.exe
< MD5 for: WMISVC.DLL >
[2006/03/22 17:30:00 | 000,143,360 | ---- | M] (Microsoft Corporation) MD5=391265F02FF1AA4A67C09653A450D518 -- C:\WINDOWS\system32\dllcache\wmisvc.dll
[2006/03/22 17:30:00 | 000,143,360 | ---- | M] (Microsoft Corporation) MD5=391265F02FF1AA4A67C09653A450D518 -- C:\WINDOWS\system32\wbem\wmisvc.dll
< MD5 for: WUAUSERV.DLL >
[2006/03/22 17:30:00 | 000,008,192 | ---- | M] (Microsoft Corporation) MD5=69E524D75FDFAF97D19A1CBBAA7FAE53 -- C:\WINDOWS\system32\dllcache\wuauserv.dll
[2006/03/22 17:30:00 | 000,008,192 | ---- | M] (Microsoft Corporation) MD5=69E524D75FDFAF97D19A1CBBAA7FAE53 -- C:\WINDOWS\system32\wuauserv.dll
========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
========== Alternate Data Streams ==========
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47F1DFAC
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >
OTL Extras logfile created on: 9/17/2012 3:07:58 PM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = D:\
Windows Server 2003 Enterprise Edition Service Pack 1 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.1830)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.80 Gb Total Physical Memory | 3.27 Gb Available Physical Memory | 86.08% Memory free
5.64 Gb Paging File | 4.90 Gb Available in Paging File | 86.93% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 82.67 Gb Free Space | 88.75% Space Free | Partition Type: NTFS
Drive D: | 3.76 Gb Total Space | 3.75 Gb Free Space | 99.97% Space Free | Partition Type: FAT32
Drive J: | 372.60 Gb Total Space | 166.87 Gb Free Space | 44.78% Space Free | Partition Type: NTFS
Computer Name: OFFICE-SERVER3 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1296:TCP" = 1296:TCP:*:Enabled:WWW
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe" = C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe:*:Enabled:Database Service Manager -- (Pervasive Software Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A3238D7-AB32-1010-B717-F3E3F18B4A8C}" = Pervasive PSQL v10.10 Workgroup (32-bit)
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{505AFDC0-5E72-4928-8368-5DEA385E3647}" = CorelDRAW Graphics Suite 12
"{6798DD4E-BD16-4735-87EB-D712637CCB8C}" = Sage Message Center
"{6CD774DA-B798-4D1E-B327-2AA6EA407929}" = Peachtree Accounting 2010
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{8BCB844B-0814-4354-A413-1063DB4618E9}" = PeachTree Signature Ready Forms
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}" = Crystal Reports 2008 Runtime SP1
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"Adobe PageMaker 7.0" = Adobe PageMaker 7.0
"Anti-phishing Domain Advisor" = Anti-phishing Domain Advisor
"blekkotb_031" = blekko search bar
"Doro_is1" = Doro 1.77
"InstallShield_{6CD774DA-B798-4D1E-B327-2AA6EA407929}" = Peachtree Premium Accounting for Manufacturing 2010
"Integration Services" = Sage Integration Services
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"MsJavaVM" = Microsoft VM for Java
"R-Studio 6.1NSIS" = R-Studio 6.1
"Stellar Phoenix Windows Data Recovery_is1" = Stellar Phoenix Windows Data Recovery V4.1
"Visual Studio 6.0 Enterprise Edition" = Microsoft Visual Studio 6.0 Enterprise Edition
"WebPost" = Microsoft Web Publishing Wizard 1.53
"WIC" = Windows Imaging Component
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 9/14/2012 11:48:53 PM | Computer Name = OFFICE-SERVER3 | Source = Userenv | ID = 1502
Description = Windows cannot load the locally stored profile. Possible causes of
this error include insufficient security rights or a corrupt local profile. If
this problem persists, contact your network administrator. DETAIL - The process
cannot access the file because it is being used by another process.
Error - 9/14/2012 11:48:53 PM | Computer Name = OFFICE-SERVER3 | Source = Userenv | ID = 1515
Description = Windows has backed up this user's profile. Windows will automatically
try to use the backed up profile the next time this user logs on.
Error - 9/14/2012 11:48:58 PM | Computer Name = OFFICE-SERVER3 | Source = Userenv | ID = 1511
Description = Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you log off.
Error - 9/15/2012 1:35:29 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8003
Description = End Restore to 'D:' 'Failed' Verify: Off Consult the backup report
for more detail.
Error - 9/15/2012 1:35:29 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.
Error - 9/15/2012 1:39:32 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8003
Description = End Restore to 'D:' 'Failed' Verify: Off Consult the backup report
for more detail.
Error - 9/15/2012 1:39:32 AM | Computer Name = OFFICE-SERVER3 | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.
Error - 9/15/2012 2:07:17 AM | Computer Name = OFFICE-SERVER3 | Source = crypt32 | ID = 131075
Description = Failed auto update retrieval of third-party root list cab from:
with error: This operation returned because the timeout period expired.
Error - 9/15/2012 8:21:47 AM | Computer Name = OFFICE-SERVER3 | Source = Application Hang | ID = 1002
Description = Hanging application Pm70.exe, version 0.7.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 9/16/2012 2:41:38 AM | Computer Name = OFFICE-SERVER3 | Source = Application Hang | ID = 1002
Description = Hanging application RStudio32.exe, version 6.1.152.29, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 9/16/2012 8:21:47 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:24:16 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:24:16 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:35:31 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 8:35:31 AM | Computer Name = OFFICE-SERVER3 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library hp v220w USB
Device.
Error - 9/16/2012 9:51:31 AM | Computer Name = OFFICE-SERVER3 | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume Q:.
Error - 9/16/2012 10:05:49 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The ttqoy service terminated with the following error: %%2
Error - 9/16/2012 10:05:49 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The zmtqtg service terminated with the following error: %%1114
Error - 9/17/2012 12:27:51 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The ttqoy service terminated with the following error: %%2
Error - 9/17/2012 12:27:51 AM | Computer Name = OFFICE-SERVER3 | Source = Service Control Manager | ID = 7023
Description = The zmtqtg service terminated with the following error: %%1114
< End of report >
# AdwCleaner v2.002 - Logfile created 09/17/2012 at 15:14:54
# Updated 16/09/2012 by Xplode
# Operating system : Microsoft Windows Server 2003 Service Pack 1 (32 bits)
# User : Administrator - OFFICE-SERVER3
# Boot Mode : Normal
# Running from : D:\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Deleted on reboot : C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars
***** [Registry] *****
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]
***** [Internet Browsers] *****
-\\ Internet Explorer v6.0.3790.1830
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-21-247894039-1264540694-3313736524-1027\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=141BEA48B854119F7422315051AB0A3F&tbp=homepage --> hxxp://www.google.com
*************************
AdwCleaner[S2].txt - [1812 octets] - [17/09/2012 15:14:54]
########## EOF - C:\AdwCleaner[S2].txt - [1872 octets] ##########