PDA

View Full Version : Windos 2003 SBS Server Spam Server



Truby
2011-07-25, 01:24
Hi,

One of my customers recently was blacklisted on CBL for sending spam.
on further investigation, it turned out that a user who had remote desktop access to the server, had had their password hacked.
There were two installations that appeared to be spam mailers, ASM (ThInstall) and another install called ok_-_copy, which has a bunch of nasties in it, SQL Server, IMAP, MYSQL, FTP dictionaries etc.

I removed them, into a safe, compressed folder, but i am still getting blacklisted. None of the antivirus or anti malware tools have found anything on the server. Trend Micro, Kapersky, etc.. (we have run Trend Micro)
And Spybot and Malware Bytes havent found anything.

The network runs a proxy server, and is blocking ports 25 and 587. I am about to block pop (110) as well. in case the infection is on another pc in the network.

I dont know who to send the details of this "new" infection too?
on that note, i dont know how to stop my blasted server from sending out spam!?!?! any hints?

I have run OTL and checked all the files and programs, and cant see anything out of the ordinary.

thanks!
Truby

Truby
2011-07-25, 02:20
OTL logfile created on: 25/07/2011 9:29:59 a.m. - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001409 | Country: New Zealand | Language: ENZ | Date Format: dd/MM/yyyy

2.50 Gb Total Physical Memory | 0.33 Gb Available Physical Memory | 13.04% Memory free
6.36 Gb Paging File | 3.95 Gb Available in Paging File | 62.18% Paging File free
Paging file location(s): d:\pagefile.sys 4096 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.25 Gb Total Space | 8.06 Gb Free Space | 25.01% Space Free | Partition Type: NTFS
Drive D: | 8.05 Gb Total Space | 4.05 Gb Free Space | 50.33% Space Free | Partition Type: FAT32
Drive E: | 96.38 Gb Total Space | 68.06 Gb Free Space | 70.62% Space Free | Partition Type: NTFS
Drive G: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive L: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive P: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive R: | 32.25 Gb Total Space | 8.06 Gb Free Space | 25.01% Space Free | Partition Type: NTFS
Drive S: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive U: | 96.38 Gb Total Space | 68.06 Gb Free Space | 70.62% Space Free | Partition Type: NTFS
Drive Z: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS

Computer Name: SBSERVER | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/25 09:27:56 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/07/06 19:52:38 | 001,047,656 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2011/07/06 19:52:38 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/07/06 16:32:20 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2011/07/06 16:32:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2011/03/30 02:56:02 | 002,483,728 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\OfcService.exe
PRC - [2011/03/30 01:21:02 | 000,157,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wins.exe
PRC - [2011/03/26 09:07:32 | 001,076,904 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
PRC - [2011/03/26 09:04:38 | 000,121,064 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
PRC - [2011/03/10 04:00:52 | 001,394,192 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\DbServer.exe
PRC - [2011/01/21 11:11:54 | 000,196,320 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
PRC - [2010/12/06 13:59:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/10/26 14:47:58 | 000,677,200 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2010/10/25 20:25:56 | 000,046,416 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Messaging Security Agent\svcGenericHost.exe
PRC - [2010/10/25 20:25:36 | 000,039,248 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_SystemWatcher.exe
PRC - [2010/10/25 20:24:58 | 000,050,000 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_RemoteConfig.exe
PRC - [2010/10/25 20:24:58 | 000,050,000 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Messaging Security Agent\SMEX_Master.exe
PRC - [2010/10/22 13:46:26 | 000,232,112 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\OfcAoSMgr.exe
PRC - [2010/10/21 03:03:32 | 000,138,640 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
PRC - [2010/09/17 10:57:05 | 000,139,264 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\iBUSOBM\aua\jvm\bin\auaJW.exe
PRC - [2010/07/16 17:16:40 | 000,464,208 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Security Server\PCCSRV\wss\iCRCService.exe
PRC - [2009/02/16 23:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2008/11/26 16:59:27 | 005,266,432 | ---- | M] (Microsoft Corporation) -- E:\Exchsrvr\bin\store.exe
PRC - [2008/05/09 18:23:30 | 000,073,728 | ---- | M] () -- C:\Program Files\iBUSOBM\aua\bin\Aua.exe
PRC - [2007/04/17 14:03:52 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/02/18 00:30:48 | 001,414,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2007/02/18 00:30:26 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe
PRC - [2007/02/17 04:08:14 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 03:58:10 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sbscrexe.exe
PRC - [2007/02/17 03:55:16 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 03:41:50 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/17 03:31:48 | 000,509,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logon.scr
PRC - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/17 02:58:36 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/11/10 13:25:46 | 001,776,640 | ---- | M] () -- C:\Program Files\Ricoh\Scheduler.exe
PRC - [2005/08/25 19:10:14 | 008,920,064 | ---- | M] (Microsoft Corporation) -- E:\Exchsrvr\bin\mad.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- E:\Exchsrvr\bin\exmgmt.exe
PRC - [2005/05/09 17:54:42 | 000,153,688 | ---- | M] (VERITAS Software Corporation) -- C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
PRC - [2005/05/06 08:28:10 | 000,053,248 | ---- | M] (Adaptec Incorporated) -- C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
PRC - [2005/04/14 08:40:58 | 000,045,134 | ---- | M] (APC) -- C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
PRC - [2005/04/14 08:40:52 | 000,028,672 | ---- | M] (APC) -- C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
PRC - [2004/07/14 01:05:10 | 001,527,887 | ---- | M] (The Firebird Project) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
PRC - [2004/07/14 01:05:10 | 000,065,536 | ---- | M] (The Firebird Project) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
PRC - [2004/04/01 18:21:16 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PRC - [2003/09/11 11:43:45 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows Small Business Server\Monitoring\wblogsvc.exe
PRC - [2003/09/11 11:43:05 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe


========== Modules (SafeList) ==========

MOD - [2011/07/25 09:27:56 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/09/08 00:08:31 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087\comctl32.dll
MOD - [2007/02/17 04:09:16 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WinHttpAutoProxySvc)
SRV - File not found [Disabled | Stopped] -- -- (UPS)
SRV - File not found [Auto | Running] -- -- (ScanMail_SystemWatcher)
SRV - File not found [Auto | Running] -- -- (ScanMail_RemoteConfig)
SRV - File not found [Auto | Running] -- -- (ScanMail_Master)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/07/06 16:32:20 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2011/07/06 16:32:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/03/30 02:56:02 | 002,483,728 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\OfcService.exe -- (ofcservice)
SRV - [2011/03/30 01:21:02 | 000,157,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wins.exe -- (WINS) Windows Internet Name Service (WINS)
SRV - [2011/01/21 11:11:54 | 000,196,320 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe -- (Amsp)
SRV - [2010/12/06 13:59:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/10/26 14:47:58 | 000,677,200 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe -- (TmListen)
SRV - [2010/10/25 20:21:34 | 000,033,616 | ---- | M] (Trend Micro Inc.) [Disabled | Stopped] -- C:\Program Files\Trend Micro\Messaging Security Agent\EUQ\EUQMonitor.exe -- (EUQ_Monitor)
SRV - [2010/10/22 13:46:26 | 000,232,112 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\OfcAoSMgr.exe -- (OfcAoSMgr)
SRV - [2010/07/16 17:16:40 | 000,464,208 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Security Server\PCCSRV\WSS\iCRCService.exe -- (TMiCRCScanService)
SRV - [2010/04/28 11:33:58 | 000,262,144 | ---- | M] () [Auto | Stopped] -- C:\Program Files\iBUSOBM\bin\CDPService.exe -- (OBCDPService) Continuous Data Protection (iBUS Online Backup Manager)
SRV - [2010/04/28 11:33:58 | 000,077,824 | ---- | M] () [Auto | Stopped] -- C:\Program Files\iBUSOBM\bin\Scheduler.exe -- (OBScheduler) Online Backup Scheduler (iBUS Online Backup Manager)
SRV - [2009/02/16 23:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2008/11/26 16:59:27 | 005,266,432 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\Exchsrvr\bin\store.exe -- (MSExchangeIS)
SRV - [2008/11/26 15:43:19 | 003,598,848 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- E:\Exchsrvr\bin\emsmta.exe -- (MSExchangeMTA)
SRV - [2008/05/09 18:23:30 | 000,073,728 | ---- | M] () [Auto | Running] -- C:\Program Files\iBUSOBM\aua\bin\Aua.exe -- (OBAutoUpdate) AutoUpdateAgent (iBUS Online Backup Manager)
SRV - [2008/02/14 16:54:00 | 001,111,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Dynamics NAV\Database Server\SERVER.exe -- (SBSERVER)
SRV - [2007/02/18 00:30:26 | 000,094,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/17 04:07:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 03:58:10 | 000,037,888 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\WINDOWS\system32\sbscrexe.exe -- (SBCore)
SRV - [2007/02/17 03:55:56 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/17 03:41:50 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/17 03:20:52 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (RESvc)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (POP3Svc)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (NntpSvc) Network News Transfer Protocol (NNTP)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IMAP4Svc)
SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/17 03:19:28 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/17 02:50:02 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2006/11/10 12:45:06 | 001,635,456 | ---- | M] (VERITAS Software Corporation) [On_Demand | Stopped] -- C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe -- (BackupExecJobEngine)
SRV - [2006/07/11 05:42:34 | 003,310,144 | ---- | M] (VERITAS Software Corporation) [On_Demand | Stopped] -- C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe -- (BackupExecRPCService)
SRV - [2006/07/11 05:40:54 | 000,830,528 | ---- | M] (VERITAS Software Corporation) [On_Demand | Stopped] -- C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/07/11 05:37:56 | 000,507,456 | ---- | M] (VERITAS Software Corporation) [On_Demand | Stopped] -- C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2005/08/25 19:10:14 | 008,920,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\Exchsrvr\bin\mad.exe -- (MSExchangeSA)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2005/08/25 18:29:52 | 000,339,456 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- E:\Exchsrvr\bin\srsmain.exe -- (MSExchangeSRS)
SRV - [2005/05/14 09:18:46 | 000,035,416 | ---- | M] (VERITAS Software Corporation) [On_Demand | Stopped] -- C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2005/05/06 08:28:10 | 000,053,248 | ---- | M] (Adaptec Incorporated) [Auto | Running] -- C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe -- (AdaptecStorageManagerAgent)
SRV - [2005/04/14 08:40:58 | 000,045,134 | ---- | M] (APC) [Auto | Running] -- C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe -- (APCPBEServer)
SRV - [2005/04/14 08:40:52 | 000,028,672 | ---- | M] (APC) [Auto | Running] -- C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe -- (APCPBEAgent)
SRV - [2004/07/14 01:05:10 | 001,527,887 | ---- | M] (The Firebird Project) [Auto | Running] -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe -- (FirebirdServerDefaultInstance)
SRV - [2004/07/14 01:05:10 | 000,065,536 | ---- | M] (The Firebird Project) [Auto | Running] -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe -- (FirebirdGuardianDefaultInstance)
SRV - [2004/04/01 18:21:16 | 000,069,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH)
SRV - [2003/11/12 15:34:56 | 000,098,304 | ---- | M] (Tyan Computer Corp) [On_Demand | Stopped] -- C:\Program Files\ML150 System Monitor Server Agent\MSMDataEngine.exe -- (MSMDataEngine)
SRV - [2003/09/11 11:43:45 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows Small Business Server\Monitoring\wblogsvc.exe -- (WBLOGSVC)
SRV - [2003/09/11 11:43:05 | 000,025,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe -- (MSPOP3Connector)
SRV - [2003/09/11 07:26:10 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2003/09/11 07:26:10 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2003/06/03 19:23:09 | 000,094,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- E:\Exchsrvr\bin\events.exe -- (MSExchangeES)


========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/06 16:32:48 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/02/25 14:10:00 | 000,081,168 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2011/02/25 14:09:00 | 000,190,736 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2011/02/25 14:09:00 | 000,065,296 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/09/30 10:59:16 | 000,092,112 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009/07/15 16:37:52 | 000,339,984 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2009/05/19 16:42:38 | 000,009,216 | ---- | M] (Hewlett-Packard ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpdat.sys -- (hpdat)
DRV - [2008/10/18 12:56:36 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/02/28 15:31:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/02/17 04:09:26 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/17 02:49:38 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2007/02/17 02:31:14 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2005/08/25 17:29:06 | 000,196,192 | ---- | M] (Microsoft Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\exifs.sys -- (EXIFS)
DRV - [2005/04/01 15:40:00 | 000,092,571 | R--- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aacmgt.sys -- (AACmgt)
DRV - [2004/07/26 18:11:43 | 000,020,256 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2004/04/02 20:43:18 | 000,037,704 | ---- | M] (VERITAS Software) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\04mmdat.sys -- (4mmdat--VRTS)
DRV - [2003/09/18 19:23:52 | 000,016,136 | ---- | M] (VERITAS Software) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2003/08/01 13:38:34 | 000,013,023 | ---- | M] (Tyan Computer System) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tyansmb.sys -- (tyansmb)
DRV - [2003/03/25 11:05:30 | 000,013,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\4mmdat.sys -- (4mmdat)
DRV - [2003/03/25 09:54:06 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2002/10/09 17:27:48 | 000,008,064 | ---- | M] (Tyan Computer Co.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ipmidrv.sys -- (IPMI_Driver)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = sbserver:8080

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\firefoxextension\ [2011/07/19 09:06:29 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/07/20 10:57:36 | 000,436,117 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 www.123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 123moviedownload.com
O1 - Hosts: 127.0.0.1 www.123moviedownload.com
O1 - Hosts: 127.0.0.1 www.123simsen.com
O1 - Hosts: 15010 more lines...
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1165\6.6.1081\TmIEPlg.dll (Trend Micro Inc.)
O4 - HKLM..\Run: [InterBaseGuardian] C:\Program Files\InterBase\bin\ibguard.exe (Inprise Corporation)
O4 - HKLM..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe ()
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe (RICOH CO.,LTD.)
O4 - HKLM..\Run: [OBSystemTray] C:\Program Files\iBUSOBM\bin\SystemTray.exe ()
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe (VERITAS Software Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\e-Reader Scheduler.lnk = C:\Program Files\Ricoh\Scheduler.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 1
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70752} https://10.0.0.2:4343/officescan/console/ClientInstall/WinNTChk.cab (ObjWinNTCheck Class)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187657256655 (MUCatalogWebControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186540780565 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186540697768 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} https://10.0.0.2/SMB/console/html/root/AtxEnc.cab (Encrypt Class)
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} https://10.0.0.2:4343/SMB/console/html/root/AtxEnc.cab (Encrypt Class)
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} https://10.0.0.2/SMB/console/html/root/AtxConsole.cab (Security Server Management Console)
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} https://10.0.0.2:4343/SMB/console/html/root/AtxConsole.cab (Security Server Management Console)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (HPSDDX Class)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} https://10.0.0.2/SMB/console/html/root/AtxConsole.cab (Security Server Management Console)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = taylormarine.co.nz
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1165\6.6.1081\TmIEPlg.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/07/26 10:41:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5f0bcbaa-92b4-11df-95a5-0002b3eedc25}\Shell - "" = AutoRun
O33 - MountPoints2\{5f0bcbaa-92b4-11df-95a5-0002b3eedc25}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f0bcbaa-92b4-11df-95a5-0002b3eedc25}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{66c859b8-52fc-11dd-8029-0002b3eedc25}\Shell\AutoRun\command - "" = H:\setupSNK.exe
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/25 09:27:39 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/07/25 09:18:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/07/25 09:17:36 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/25 09:17:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/25 09:17:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/07/25 09:17:23 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/25 09:17:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/25 09:16:59 | 009,466,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.51.1.1800.exe
[2011/07/25 09:10:55 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2011/07/25 09:05:42 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/07/25 09:05:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/07/25 09:05:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/07/25 08:21:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/07/22 09:33:53 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/07/22 09:07:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2011/07/22 08:29:43 | 000,000,000 | ---D | C] -- C:\desktop
[2011/07/22 08:15:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/07/22 08:03:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Dodgy Programs
[2011/07/21 12:49:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\TCPView
[2011/07/20 16:39:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Autoruns
[2011/07/19 08:34:28 | 000,092,112 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2011/07/19 08:30:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro Worry-Free Business Security Agent
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/25 09:45:00 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\Collect Server Performance Data.job
[2011/07/25 09:34:18 | 000,002,586 | ---- | M] () -- C:\WINDOWS\System32\licstr.cpa
[2011/07/25 09:27:56 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/07/25 09:17:37 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/25 09:16:59 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.51.1.1800.exe
[2011/07/25 09:11:02 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2011/07/25 08:07:35 | 000,150,056 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Open Ports.JPG
[2011/07/25 07:54:17 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/25 05:07:00 | 000,007,531 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/07/25 04:33:46 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Collect Usage Data.job
[2011/07/24 18:30:00 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\Backup_NAV_Live.job
[2011/07/22 14:31:58 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{BE5AC0D0-E7EE-495B-A699-710423E2D6CC}.job
[2011/07/22 08:56:14 | 001,190,832 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/22 08:56:14 | 000,347,584 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/22 08:50:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/22 07:31:53 | 000,000,848 | RHS- | M] () -- C:\Documents and Settings\Administrator\ntuser.pol
[2011/07/21 14:15:46 | 000,001,612 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Scripts.lnk
[2011/07/21 12:48:56 | 000,290,954 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\TCPView.zip
[2011/07/21 08:42:54 | 000,095,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/20 16:40:21 | 000,005,296 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/20 10:57:36 | 000,436,117 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/07/19 09:17:36 | 000,212,992 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\testsql.zup
[2011/07/17 10:13:55 | 000,035,750 | ---- | M] () -- C:\WINDOWS\ricdb.ini
[2011/07/17 10:13:54 | 000,005,654 | ---- | M] () -- C:\WINDOWS\System32\RPCS.ini
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/06 16:32:48 | 000,083,360 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2011/07/06 16:32:28 | 000,087,424 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2011/07/06 16:32:28 | 000,029,568 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/25 09:17:37 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/25 08:07:35 | 000,150,056 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Open Ports.JPG
[2011/07/21 12:48:54 | 000,290,954 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\TCPView.zip
[2011/04/04 12:01:00 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2011/01/25 13:58:00 | 000,000,088 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\wfbshelp.ini
[2009/11/10 10:30:30 | 000,005,746 | ---- | C] () -- C:\WINDOWS\cfgrt_ex.ini
[2009/06/18 04:08:32 | 000,000,345 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/13 07:55:35 | 000,003,618 | ---- | C] () -- C:\WINDOWS\cfgspyms.ini
[2008/10/13 07:55:34 | 000,004,412 | ---- | C] () -- C:\WINDOWS\cfgms.ini
[2008/10/09 16:21:08 | 000,000,033 | ---- | C] () -- C:\WINDOWS\unicon.ini
[2008/08/13 12:35:04 | 000,001,843 | ---- | C] () -- C:\WINDOWS\System32\RC98E1A0.dat
[2008/08/11 10:43:08 | 000,000,460 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\dbms.zup
[2008/08/11 10:30:33 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\fin.zup
[2008/08/11 10:25:28 | 000,212,992 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\testsql.zup
[2008/08/11 10:00:55 | 000,000,460 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\dbms.zup
[2007/11/26 16:27:41 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\APCSnmp.dll
[2007/09/26 14:10:29 | 000,003,678 | ---- | C] () -- C:\WINDOWS\cfgspyps.ini
[2007/09/13 10:07:21 | 000,036,939 | ---- | C] () -- C:\WINDOWS\System32\insrepim.exe
[2007/07/06 12:09:34 | 000,000,129 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/22 18:14:58 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/05/03 14:54:24 | 000,004,485 | ---- | C] () -- C:\WINDOWS\cfgps.ini
[2007/04/26 12:26:18 | 000,003,631 | ---- | C] () -- C:\WINDOWS\cfgrs_ex.ini
[2007/04/26 12:26:17 | 000,004,420 | ---- | C] () -- C:\WINDOWS\cfgrs.ini
[2007/02/18 00:26:18 | 000,004,725 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/09/13 11:33:01 | 000,017,586 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2006/02/15 11:02:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\AOReport.dll
[2006/02/15 11:02:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\aocheck.exe
[2006/02/15 11:01:31 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\myoem.dll
[2005/06/30 11:28:15 | 000,002,031 | ---- | C] () -- C:\WINDOWS\PmData.Dat
[2005/06/30 11:28:15 | 000,000,226 | ---- | C] () -- C:\WINDOWS\PMJobCli.ini
[2005/06/30 11:28:12 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RLPR.dll
[2005/06/30 11:28:12 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\rtcpf.dll
[2005/06/30 11:28:11 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\rpnv2ui.dll
[2005/06/30 11:28:09 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\PMObservps.dll
[2005/06/30 11:28:06 | 000,012,358 | ---- | C] () -- C:\WINDOWS\PMRicMb.ini
[2005/06/30 11:28:06 | 000,006,702 | ---- | C] () -- C:\WINDOWS\PMRicPMb.ini
[2005/06/30 11:28:06 | 000,005,390 | ---- | C] () -- C:\WINDOWS\PMPrtMb.ini
[2005/06/30 11:28:06 | 000,004,303 | ---- | C] () -- C:\WINDOWS\PMRicFMb.ini
[2005/06/30 11:28:06 | 000,003,005 | ---- | C] () -- C:\WINDOWS\PMDvPrn.ini
[2005/06/30 11:28:06 | 000,002,102 | ---- | C] () -- C:\WINDOWS\PMDvDev.ini
[2005/06/30 11:28:06 | 000,002,047 | ---- | C] () -- C:\WINDOWS\PMDIOMb.ini
[2005/06/30 11:28:06 | 000,002,036 | ---- | C] () -- C:\WINDOWS\PMHostMb.ini
[2005/06/30 11:28:06 | 000,001,885 | ---- | C] () -- C:\WINDOWS\PMPSIOMb.ini
[2005/06/30 11:28:06 | 000,001,727 | ---- | C] () -- C:\WINDOWS\PMRicSMb.ini
[2005/06/30 11:28:06 | 000,001,706 | ---- | C] () -- C:\WINDOWS\PMRicCMb.ini
[2005/06/30 11:28:06 | 000,001,494 | ---- | C] () -- C:\WINDOWS\PMMib2Mb.ini
[2005/06/30 11:28:06 | 000,001,143 | ---- | C] () -- C:\WINDOWS\PMDPIMb.ini
[2005/06/30 11:28:06 | 000,001,110 | ---- | C] () -- C:\WINDOWS\PMDvFax.ini
[2005/06/30 11:28:06 | 000,001,094 | ---- | C] () -- C:\WINDOWS\PMAxsMb.ini
[2005/06/30 11:28:06 | 000,000,842 | ---- | C] () -- C:\WINDOWS\PMDvScan.ini
[2005/06/30 11:28:06 | 000,000,423 | ---- | C] () -- C:\WINDOWS\PMDvCopy.ini
[2005/06/30 11:28:06 | 000,000,332 | ---- | C] () -- C:\WINDOWS\PMSnmpMb.ini
[2005/06/30 11:26:24 | 000,035,750 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2005/06/30 11:26:22 | 000,005,654 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2005/02/03 10:13:05 | 000,000,320 | ---- | C] () -- C:\WINDOWS\SWWATER.INI
[2004/08/09 11:05:38 | 000,002,651 | ---- | C] () -- C:\WINDOWS\RBuilder.ini
[2004/08/01 10:43:14 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2004/07/28 09:49:22 | 000,198,656 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/07/27 14:36:48 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2004/07/27 14:17:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/07/27 14:08:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2004/07/27 14:08:10 | 000,017,579 | ---- | C] () -- C:\WINDOWS\System32\nntpctrs.ini
[2004/07/27 14:03:27 | 000,011,597 | ---- | C] () -- C:\WINDOWS\System32\dnsperf.ini
[2004/07/27 14:01:25 | 000,002,360 | ---- | C] () -- C:\WINDOWS\System32\dhcpctrs.ini
[2004/07/26 18:17:53 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/26 18:16:37 | 000,095,864 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/07/26 11:53:39 | 000,001,933 | ---- | C] () -- C:\WINDOWS\ACT_CFG.INI
[2004/07/26 11:50:15 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2004/07/26 11:17:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/07/26 10:36:50 | 000,021,160 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/07/26 10:35:40 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2004/07/26 10:35:40 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2004/07/26 10:34:31 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2004/07/26 10:34:30 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2004/07/26 10:34:23 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2003/09/11 07:26:10 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/09/11 07:26:10 | 001,190,832 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/09/11 07:26:10 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/09/11 07:26:10 | 000,347,584 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/09/11 07:26:10 | 000,275,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/09/11 07:26:10 | 000,216,006 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/09/11 07:26:10 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2003/09/11 07:26:10 | 000,046,907 | ---- | C] () -- C:\WINDOWS\mib.bin
[2003/09/11 07:26:10 | 000,029,710 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/09/11 07:26:10 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2003/09/11 07:26:10 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2003/09/11 07:26:10 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2003/09/11 07:26:10 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2003/09/11 07:26:10 | 000,005,644 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2003/09/11 07:26:10 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2003/09/11 07:26:10 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/09/11 07:26:10 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/09/11 07:26:10 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\mqtgsvc.exe.cfg

< End of report >

Truby
2011-07-25, 02:21
OTL Extras logfile created on: 25/07/2011 9:30:00 a.m. - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001409 | Country: New Zealand | Language: ENZ | Date Format: dd/MM/yyyy

2.50 Gb Total Physical Memory | 0.33 Gb Available Physical Memory | 13.04% Memory free
6.36 Gb Paging File | 3.95 Gb Available in Paging File | 62.18% Paging File free
Paging file location(s): d:\pagefile.sys 4096 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.25 Gb Total Space | 8.06 Gb Free Space | 25.01% Space Free | Partition Type: NTFS
Drive D: | 8.05 Gb Total Space | 4.05 Gb Free Space | 50.33% Space Free | Partition Type: FAT32
Drive E: | 96.38 Gb Total Space | 68.06 Gb Free Space | 70.62% Space Free | Partition Type: NTFS
Drive G: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive L: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive P: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive R: | 32.25 Gb Total Space | 8.06 Gb Free Space | 25.01% Space Free | Partition Type: NTFS
Drive S: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive U: | 96.38 Gb Total Space | 68.06 Gb Free Space | 70.62% Space Free | Partition Type: NTFS
Drive Z: | 67.83 Gb Total Space | 14.39 Gb Free Space | 21.22% Space Free | Partition Type: NTFS

Computer Name: SBSERVER | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Disabled:Spybot-S&D 2 Scanner Service
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000000-0000-5010-0002-0000836BD2D2}" = Microsoft Dynamics NAV 5.0 SP1 Database Server
"{00000000-0000-5010-A800-0000836BD2D2}" = Microsoft Dynamics NAV 5.0 SP1 CSIDE Client
"{0A07E717-BB5D-4B99-840B-6C5DED52B277}" = Trend Micro Worry-Free Business Security Agent
"{0AFBEC56-6CF0-4ED1-B6D6-F255EC5867CA}" = Ezijobz SME
"{0C753D2F-C64A-44B9-8FF4-A7752D8F2EC7}" = Windows Small Business Server Admin
"{0F86FD09-BA63-4E45-A70B-604C1106C2F2}" = APC PowerChute Business Edition Console
"{14C03D20-0507-419A-9E2A-3C17CDB10527}" = ML150 System Monitor Server Agent
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 26
"{2734011B-3709-45B2-A946-5A1ADB1AFCFE}" = Windows Small Business Server Documents
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition
"{31271095-CD3A-4C9F-89F6-B5F6F3B35636}" = Windows Small Business Server Remote Portal
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{3CE06D54-72B1-44B2-AB60-E4277EC80EF4}" = Microsoft XML Parser
"{3FEC3A5B-60FF-4626-B425-08E09B121A15}" = LogMeIn
"{47DAC891-3058-4713-AC22-553A7BA1E1D8}" = ML150 System Monitor Console
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53BE2241-531B-49FB-B03D-06C377179548}" = Windows Small Business Server IE Client App
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5D622FC5-B037-4505-AD5A-60555C2A05E9}" = Microsoft Connector for POP3 Mailboxes
"{5DB0ECA1-4C56-488B-9BF1-FB300D9E1F54}" = Trend Micro Plug-in Manager
"{64A411C9-DB09-4F01-A8D4-2D5227D7A074}" = Windows Small Business Server Licensing
"{65657C59-23A8-4974-B8E0-BA04EBD04E4F}" = Microsoft SQL Server Desktop Engine (SHAREPOINT)
"{66C8DA1B-9156-44B6-B222-2219BC6F21A9}" = Windows Small Business Server Client Setup
"{671E4E4D-4798-4F66-9C9E-C5762E73179E}" = Microsoft XML Parser
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05
"{73980FB5-5DF2-4DC8-9E53-14EF93FD72B6}" = Type3232 TWAIN Driver Ver.3
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8681E826-9DC6-4EAC-84B7-971EA795BD36}" = Microsoft Group Policy Management Console
"{885CAC07-102C-4663-8283-51CBCE616211}" = HP StorageWorks Library And Tape Tools
"{88A6C12D-DED9-412B-9CC2-643F03674EDF}" = Windows Small Business Server Fax Cfg
"{8EFE8B68-29E3-4F11-980B-1CDC9E21B258}" = Windows Small Business Server Connectivity
"{91140409-7000-11D3-8CFE-0150048383C9}" = Microsoft Windows SharePoint Services 2.0
"{91B90409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{94251E15-F03A-42CF-B762-6A75B1A0790B}" = Adaptec Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A34AC564-B4A3-4D45-B969-403BC39F0E6A}" = Microsoft .NET Framework 1.1 -- Device Update 4.0
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A6491A4A-AAA0-4892-BFEF-ECD6CECE2FF3}" = APC PowerChute Business Edition Server
"{ACCB890A-C291-4157-92A1-5A56D71AB047}" = Windows Small Business Server Fax
"{ACE0B250-0370-42D3-B137-16BB4BC0BD61}" = Windows Small Business Server ActiveSync
"{B6131A80-CAAB-11D3-8246-00C0DFE13AD2}" = Adaptec Storage Manager
"{B7300824-E68F-45F1-BAC1-5F15636C346F}" = Microsoft SQL Server Desktop Engine (SBSMONITORING)
"{BCE9F441-9027-4911-82E0-5FB28057897D}" = APC PowerChute Business Edition Agent
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C138D676-4F0F-4FDE-8BE5-26CFD3566DCD}" = SmartDeviceMonitor for Client
"{C8885E66-9862-4CEE-ADC4-F4769598C795}" = VERITAS Update
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DD2B5BC3-1FC9-4FCC-B49E-7F28AF3AACD8}" = VERITAS Backup Exec for Windows Servers
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (BKUPEXEC)
"{E3DD8B4D-D2B2-457A-B5D6-66B5031535A2}" = Windows Small Business Server Backup
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E8964572-1F5B-4D32-80BA-F2D81E592A8D}" = SmartDeviceMonitor for Admin
"{EB132F7D-C614-40F5-952C-ED7391638A1B}" = Windows Small Business Server Client Experience
"{F44BD974-0ADA-4A17-894E-0BF75F724216}" = Trend Micro Messaging Security Agent
"{FFFFED3C-5E7E-4C6C-A7B9-8BAB6181852B}" = Windows Small Business Server Monitoring
"5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA" = Windows Small Business Server 2003
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Borland InterBase 7.1 " = Borland InterBase 7.1
"CutePDF Writer Installation" = CutePDF Writer 2.8
"EMS InterBase/FireBird Manager" = EMS InterBase/FireBird Manager
"ESET Online Scanner" = ESET Online Scanner v3
"FBDBServer_1_5_is1" = Firebird 1.5.1.4481
"Firebird ODBC Driver_is1" = Firebird ODBC Driver 1.2.0.69
"IB Expert_is1" = IB Expert 2004 Personal Edition
"iBUS Online Backup Manager_is1" = iBUS Online Backup Manager
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{885CAC07-102C-4663-8283-51CBCE616211}" = HP StorageWorks Library And Tape Tools
"InstallShield_{94251E15-F03A-42CF-B762-6A75B1A0790B}" = Adaptec Storage Manager
"LAN-Fax Utilities" = LAN-Fax Utilities
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Health Monitor 2.1" = Microsoft Health Monitor 2.1
"Microsoft SQL Server 2000" = Microsoft SQL Server 2000
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MYOB Payroll" = MYOB Payroll
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"PROSet" = Intel(R) Network Connections Drivers
"Ricoh e-Reader_is1" = Ricoh e-Reader Version 5
"Security Server-10.0.0.2" = Trend Micro Worry-Free Business Security Advanced
"SMEX_{F44BD974-0ADA-4A17-894E-0BF75F724216}" = Trend Micro Messaging Security Agent
"VERITAS Backup Exec 10.0" = VERITAS Backup Exec for Windows Servers
"WIC" = Windows Imaging Component
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2
"WinImage" = WinImage
"Wofie" = Trend Micro Worry-Free Business Security Agent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 21/07/2011 4:47:08 p.m. | Computer Name = SBSERVER | Source = MSExchangeDSAccess | ID = 264246
Description = Process MAD.EXE (PID=4832). All Domain Controller Servers in use are
not responding: sbserver.taylormarine.co.nz For more information, click http://www.microsoft.com/contentredirect.asp.

Error - 21/07/2011 4:47:14 p.m. | Computer Name = SBSERVER | Source = MSExchangeAL | ID = 8026
Description = LDAP Bind was unsuccessful on directory sbserver.taylormarine.co.nz
for distinguished name ''. Directory returned error:[0x51] Server Down. For more
information, click http://www.microsoft.com/contentredirect.asp.

Error - 21/07/2011 4:47:15 p.m. | Computer Name = SBSERVER | Source = MSExchangeAL | ID = 8026
Description = LDAP Bind was unsuccessful on directory sbserver.taylormarine.co.nz
for distinguished name ''. Directory returned error:[0x51] Server Down. For more
information, click http://www.microsoft.com/contentredirect.asp.

Error - 21/07/2011 4:47:15 p.m. | Computer Name = SBSERVER | Source = MSExchangeAL | ID = 8250
Description = The Win32 API call 'DsGetDCNameW' returned error code [0x862] The
specified component could not be found in the configuration information. The service
could not be initialized. Make sure that the operating system was installed properly.


For
more information, click http://www.microsoft.com/contentredirect.asp.

Error - 22/07/2011 12:23:38 a.m. | Computer Name = SBSERVER | Source = Userenv | ID = 1058
Description = Windows cannot access the file gpt.ini for GPO CN={89459E49-9CD0-4DE7-9456-3E998B50181F},CN=Policies,CN=System,DC=taylormarine,DC=co,DC=nz.
The file must be present at the location <\\taylormarine.co.nz\SysVol\taylormarine.co.nz\Policies\{89459E49-9CD0-4DE7-9456-3E998B50181F}\gpt.ini>.
(The specified network name is no longer available. ). Group Policy processing
aborted.

Error - 22/07/2011 12:23:38 a.m. | Computer Name = SBSERVER | Source = Userenv | ID = 1030
Description = Windows cannot query for the list of Group Policy objects. Check the
event log for possible messages previously logged by the policy engine that describes
the reason for this.

Error - 22/07/2011 5:00:46 a.m. | Computer Name = SBSERVER | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 24/07/2011 4:13:05 p.m. | Computer Name = SBSERVER | Source = MSExchangeTransport | ID = 265174
Description = A non-delivery report with a status code of 4.0.0 was generated for
recipient rfc822;taylormarine@knutsford.co.nz (Message-ID <C71.449.4E29D877@sbserver.taylormarine.co.nz>).


Error - 24/07/2011 4:18:33 p.m. | Computer Name = SBSERVER | Source = MSSQLSERVER | ID = 9003
Description = The log scan number (1097:46:1) passed to log scan in database 'NAV_GST_Test'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 24/07/2011 4:18:33 p.m. | Computer Name = SBSERVER | Source = MSSQLSERVER | ID = 3414
Description = An error occurred during recovery, preventing the database 'NAV_GST_Test'
(database ID 7) from restarting. Diagnose the recovery errors and fix them, or
restore from a known good backup. If errors are not corrected or expected, contact
Technical Support.

[ DNS Server Events ]
Error - 21/07/2011 4:47:14 p.m. | Computer Name = SBSERVER | Source = DNS | ID = 4015
Description = The DNS server has encountered a critical error from the Active Directory.
Check
that the Active Directory is functioning properly. The extended error debug information
(which may be empty) is "". The event data contains the error.

Error - 21/07/2011 4:47:14 p.m. | Computer Name = SBSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone .. This DNS server is configured to use information obtained from Active
Directory
for this zone and is unable to load the zone without it. Check that the Active
Directory is functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data contains the
error.

Error - 21/07/2011 4:47:14 p.m. | Computer Name = SBSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone _msdcs.taylormarine.co.nz. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat enumeration
of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 21/07/2011 4:47:14 p.m. | Computer Name = SBSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone 0.0.10.in-addr.arpa. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

Error - 21/07/2011 4:47:14 p.m. | Computer Name = SBSERVER | Source = DNS | ID = 4004
Description = The DNS server was unable to complete directory service enumeration
of zone taylormarine.co.nz. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "". The event
data contains the error.

[ File Replication Service Events ]
Error - 15/07/2011 6:28:02 a.m. | Computer Name = SBSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path c: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a c:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

Error - 15/07/2011 6:28:02 a.m. | Computer Name = SBSERVER | Source = NtFrs | ID = 13570
Description = The File Replication Service has detected that the volume hosting
the path C: is low on disk space. Files may not replicate until disk space is made
available on this volume. The available space on the volume can be found by typing
"dir
/a C:". For more information about managing space on a volume type "copy /?", "rename
/?", "del /?", "rmdir /?", and "dir /?".

[ System Events ]
Error - 24/07/2011 3:26:04 p.m. | Computer Name = SBSERVER | Source = SAM | ID = 12294
Description = The SAM database was unable to lockout the account of Administrator
due to a resource error, such as a hard disk write failure (the specific error code
is in the error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account mentioned above.

Error - 24/07/2011 3:26:04 p.m. | Computer Name = SBSERVER | Source = SAM | ID = 12294
Description = The SAM database was unable to lockout the account of Administrator
due to a resource error, such as a hard disk write failure (the specific error code
is in the error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account mentioned above.

Error - 24/07/2011 3:26:09 p.m. | Computer Name = SBSERVER | Source = SAM | ID = 12294
Description = The SAM database was unable to lockout the account of Administrator
due to a resource error, such as a hard disk write failure (the specific error code
is in the error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account mentioned above.

Error - 24/07/2011 3:26:13 p.m. | Computer Name = SBSERVER | Source = SAM | ID = 12294
Description = The SAM database was unable to lockout the account of Administrator
due to a resource error, such as a hard disk write failure (the specific error code
is in the error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account mentioned above.

Error - 24/07/2011 3:26:33 p.m. | Computer Name = SBSERVER | Source = SAM | ID = 12294
Description = The SAM database was unable to lockout the account of Administrator
due to a resource error, such as a hard disk write failure (the specific error code
is in the error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account mentioned above.

Error - 24/07/2011 3:26:52 p.m. | Computer Name = SBSERVER | Source = SAM | ID = 12294
Description = The SAM database was unable to lockout the account of Administrator
due to a resource error, such as a hard disk write failure (the specific error code
is in the error data) . Accounts are locked after a certain number of bad passwords
are provided so please consider resetting the password of the account mentioned above.

Error - 24/07/2011 3:29:08 p.m. | Computer Name = SBSERVER | Source = NETLOGON | ID = 5722
Description = The session setup from the computer ACCOUNTS failed to authenticate.
The
name(s) of the account(s) referenced in the security database is ACCOUNTS$. The
following error occurred: %%5

Error - 24/07/2011 3:54:38 p.m. | Computer Name = SBSERVER | Source = TermServDevices | ID = 1111
Description = Driver PDF Complete Converter required for printer PDF Complete is
unknown. Contact the administrator to install the driver before you log in again.

Error - 24/07/2011 3:54:39 p.m. | Computer Name = SBSERVER | Source = TermServDevices | ID = 1111
Description = Driver HP Universal Printing PS required for printer HP Universal
Printing PS is unknown. Contact the administrator to install the driver before you
log in again.

Error - 24/07/2011 4:51:00 p.m. | Computer Name = SBSERVER | Source = dpti2o | ID = 262153
Description = The device, \Device\Scsi\dpti2o1, did not respond within the timeout
period.


< End of report >

tashi
2011-07-25, 09:41
Hello Truby,

In case you missed it please see the forum FAQ, "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) :)

Particularly post #5 in the thread. Personal computers or..... (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

Best regards.

Truby
2011-07-25, 10:11
thank you for that, what i really was asking was,
i have a serious problem. the three companies i have talked to cant find out what is wrong. none of the spyware programs can find anything.
I have found physical spyware / malware programs that i want to send it to someone / a malware company so they can add it to their list of programs they should be scanning for.

But i cant seem to find anywhere to submit this data.
now i could just work out what it is and how to remove it, and just let other people suffer with the same problem, what none of the spyware detection programs can find. but i thought it would be a public service to find this and help out other people before they too were infected.

but i guess this isnt the case. i will just work it out myself, and everyone can suffer the same problems. guess the spammers win.

Truby

tashi
2011-07-25, 10:35
Hello Truby,

To be able to directly examine threats and improve detections our detectives would need the file/s. :)

Infected Files. How To Submit. (http://forums.spybot.info/showthread.php?t=1699)

Best regards.