2003 SBS Server and popups

aidankk

Ive got to fix a srange problem with a 2003 sbs server this evening.

1. it will not boot in safe mode, as it blue screen with as far as i can see a problem with tctip.sys
2. It wont boot id dir restore mode sam issue.

3. It will boot in normal mode, but there is constant popups of cftmon.exe in DOS screens.


My plan would be to get it working in safe mode by running a system file checker from 2003 cd

Then in safe mode do a full scan and delete with Symantec AV.

Here is the Hijack this log, if anyone has seen this one before ...


If anyone has any ideas other than the above plan..

I am limited in what software i can use due to it being a server etc..

I have marked some of the lines in hijackthis that are questionable.



Any help greatly appreciated..







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:11 PM, on 4/29/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$WSUS\Binn\sqlservr.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SAV\Rtvscan.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESJM.EXE
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\ConsoleAppMgr.exe
C:\Program Files\Symantec\CMaF\2.0\bin\CmafReportSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSETask.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\ConsoleAppMgr.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\conduit.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\logon.scr
C:\WINDOWS\TEMP\66E8.tmp
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\Default User\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\itradmin\Local Settings\Application Data\cftmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ntserver01:8080
O2 - BHO: BhoApp Class - {AAD1C6AD-10AB-4cae-97FB-0AADDEC8A14B} - C:\WINDOWS\system32\hmlphl.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
O4 - HKUS\S-1-5-21-1409082233-1606980848-725345543-2125\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'ITRADMIN')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://www.boards.ie
O15 - ESC Trusted Zone: http://www.google.ie
O15 - ESC Trusted Zone: http://onecare.live.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.pjom.ie/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dtryan.com
O17 - HKLM\Software\..\Telephony: DomainName = dtryan.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{83E54469-64DD-407F-82FA-AD5592D2FCD1}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dtryan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dtryan.com
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: WLXbgz - C:\WINDOWS\SYSTEM32\WLXbgz.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: Symantec Mail Security Utility Service (SAVFMSESpamStatsManager) - Unknown owner - C:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Mail Security for Microsoft Exchange (SMSMSE) - Symantec Corporation - C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESrv.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe

--
End of file - 9036 bytes

ActorSeeksJob

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: BhoApp Class - {AAD1C6AD-10AB-4cae-97FB-0AADDEC8A14B} - C:\WINDOWS\system32\hmlphl.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
O4 - HKUS\S-1-5-21-1409082233-1606980848-725345543-2125\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'ITRADMIN')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: WLXbgz - C:\WINDOWS\SYSTEM32\WLXbgz.dll
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  [kill explorer]
  C:\WINDOWS\TEMP\66E8.tmp
  C:\Documents and Settings\Default User\Local Settings\Application Data\cftmon.exe
  C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
  C:\WINDOWS\system32\hmlphl.dll
  C:\WINDOWS\system32\drivers\spools.exe
  C:\WINDOWS\SYSTEM32\WLCtrl32.dll
  C:\WINDOWS\SYSTEM32\WLXbgz.dll
  purity 
  [start explorer]
  

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot and do this


Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

aidankk

ill try this now. I wont be on site until 5.

I did mark all those with hijack yeaterday, and they cam back, but i didnt use OTMoveIt2 by OldTimer.

Ill reply when i try it and get to site..

Thanks again

aidankk

popups are gone, system is running much faster..

Now just to fix the safe mode blue screen problem..

ActorSeeksJob

I need to see the logs

aidankk

ActorSeeksJob wrote: »

I need to see the logs

Here they are, thanks so far, im about to install SP2 on this machine to try and fix the safe mode issue...

Deckard's System Scanner v20071014.68
Run by itradmin on 2008-04-29 18:38:15
Computer is in Normal Mode.

---

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as itradmin.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:39 PM, on 4/29/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$WSUS\Binn\sqlservr.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\ConsoleAppMgr.exe
C:\Program Files\Symantec\CMaF\2.0\bin\CmafReportSrv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SAV\Rtvscan.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSECtrl.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESJM.EXE
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSETask.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\ConsoleAppMgr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Symantec\SMSMSE\6.0\Server\conduit.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
S:\itr\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\itradmin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ntserver01:8080
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://www.msn.com
O15 - ESC Trusted Zone: http://download.nai.com
O15 - ESC Trusted Zone: http://fileconnect.symantec.com
O15 - ESC Trusted Zone: http://fileconnectdl.symantec.com
O15 - ESC Trusted Zone: http://seer.entsupport.symantec.com
O15 - ESC Trusted Zone: http://service1.symantec.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://www.techsupportforum.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://10.0.0.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dtryan.com
O17 - HKLM\Software\..\Telephony: DomainName = dtryan.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{83E54469-64DD-407F-82FA-AD5592D2FCD1}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dtryan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dtryan.com
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: Microsoft Exchange POP3 POP3SvcBackupExecJobEngine (POP3SvcBackupExecJobEngine) - Unknown owner - C:\WINDOWS\system32\alrsvcp.exe
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: Symantec Mail Security Utility Service (SAVFMSESpamStatsManager) - Unknown owner - C:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: Symantec Mail Security for Microsoft Exchange (SMSMSE) - Symantec Corporation - C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESrv.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe

--
End of file - 7793 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080428-125119-180 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Default User\Local Settings\Application Data\cftmon.exe
backup-20080428-125119-877 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
backup-20080428-125644-254 O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
backup-20080428-125644-431 O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
backup-20080428-125644-521 O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
backup-20080428-125644-679 O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
backup-20080428-125701-419 O4 - HKUS\S-1-5-21-1409082233-1606980848-725345543-2125\..\Run: [autoload] C:\Documents and Settings\itradmin\Local Settings\Application Data\cftmon.exe (User 'ITRADMIN')
backup-20080428-125701-836 O4 - HKUS\S-1-5-21-1409082233-1606980848-725345543-2125\..\Run: [WintelUpdate] C:\DOCUME~1\itradmin\LOCALS~1\Temp\4\37A7.tmp.exe (User 'ITRADMIN')
backup-20080428-125711-624 O4 - HKUS\S-1-5-18\..\Run: [WintelUpdate] C:\WINDOWS\TEMP\2AD8.tmp.exe (User 'SYSTEM')
backup-20080428-143540-360 O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
backup-20080428-143605-100 O15 - ESC Trusted Zone: http://www1.euro.dell.com
backup-20080428-143605-664 O15 - ESC Trusted Zone: http://icdg.boards.ie
backup-20080428-143605-696 O15 - ESC Trusted Zone: http://accessories.euro.dell.com
backup-20080428-143605-762 O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
backup-20080428-143605-769 O15 - ESC Trusted Zone: http://fs4.filehippo.com
backup-20080428-143605-874 O15 - ESC Trusted Zone: http://www.cbg.ie
backup-20080428-143605-884 O15 - ESC Trusted Zone: http://www.adverts.ie
backup-20080428-143605-963 O15 - ESC Trusted Zone: http://reviews-cdn.dell.com
backup-20080429-150632-455 O2 - BHO: BhoApp Class - {AAD1C6AD-10AB-4cae-97FB-0AADDEC8A14B} - C:\WINDOWS\system32\hmlphl.dll
backup-20080429-150642-103 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080429-150643-507 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Default User\Local Settings\Application Data\cftmon.exe
backup-20080429-150644-209 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080429-150644-839 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\administrator.DTRYAN\Local Settings\Application Data\cftmon.exe
backup-20080429-150645-172 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
backup-20080429-150645-254 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080429-150645-815 O4 - HKUS\S-1-5-21-1409082233-1606980848-725345543-2125\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'ITRADMIN')
backup-20080429-150646-619 O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.pjom.ie/Remote/msrdp.cab
backup-20080429-150704-713 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080429-150708-812 O20 - Winlogon Notify: WLXbgz - C:\WINDOWS\SYSTEM32\WLXbgz.dll
backup-20080429-150713-580 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080429-171827-204 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Default User\Local Settings\Application Data\cftmon.exe
backup-20080429-171827-298 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080429-171827-424 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080429-171827-476 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\Default User\Local Settings\Application Data\cftmon.exe (User 'Default user')
backup-20080429-171827-507 O2 - BHO: Min stor proj. - {FFFFFFFF-B432-46fc-9143-B82B832B1B14} - interns32.dll (file missing)
backup-20080429-171827-661 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080429-172102-822 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
backup-20080429-172102-905 O15 - ESC Trusted Zone: http://download.bleepingcomputer.com
backup-20080429-172204-173 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
backup-20080429-172204-808 O20 - Winlogon Notify: WLXbgz - C:\WINDOWS\
backup-20080429-172204-891 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

-- File Associations

---

.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.pif - piffile - shell\open\command - "%1" %*"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 Piw12 - c:\windows\system32\drivers\piw12.sys
R2 EXIFS - c:\windows\system32\drivers\exifs.sys <Not Verified; Microsoft Corporation; Microsoft Exchange>

S2 asc3550f - c:\windows\system32\drivers\asc3550f.sys
S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)
S4 IpNat (IP Network Address Translator) - /path overridden by isa server - do not edit/ (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 MSExchangeIS (Microsoft Exchange Information Store) - "c:\program files\exchsrvr\bin\store.exe" <Not Verified; Microsoft Corporation; Microsoft Exchange>
R2 MSExchangeMGMT (Microsoft Exchange Management) - "c:\program files\exchsrvr\bin\exmgmt.exe" <Not Verified; Microsoft Corporation; Microsoft Exchange>
R2 MSExchangeSA (Microsoft Exchange System Attendant) - "c:\program files\exchsrvr\bin\mad.exe" <Not Verified; Microsoft Corporation; Microsoft Exchange>
R2 MSSEARCH (Microsoft Search) - "c:\program files\common files\system\mssearch\bin\mssearch.exe" <Not Verified; Microsoft Corporation; PKM>
R2 SAVFMSESpamStatsManager (Symantec Mail Security Utility Service) - c:\program files\symantec\smsmse\6.0\server\smsutilityservice.exe
R2 SMSMSE (Symantec Mail Security for Microsoft Exchange) - "c:\program files\symantec\smsmse\6.0\server\savfmsesrv.exe" <Not Verified; Symantec Corporation; Symantec Mail Security for Microsoft Exchange>

S2 POP3SvcBackupExecJobEngine (Microsoft Exchange POP3 POP3SvcBackupExecJobEngine) - c:\windows\system32\alrsvcp.exe srv
S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)
S3 MSExchangeES (Microsoft Exchange Event) - "c:\program files\exchsrvr\bin\events.exe" <Not Verified; Microsoft Corporation; Microsoft Exchange>
S4 MSExchangeMTA (Microsoft Exchange MTA Stacks) - "c:\program files\exchsrvr\bin\emsmta.exe" <Not Verified; Microsoft Corporation; Microsoft Exchange>
S4 MSExchangeSRS (Microsoft Exchange Site Replication Service) - "c:\program files\exchsrvr\bin\srsmain.exe" <Not Verified; Microsoft Corporation; Microsoft Exchange>


-- Device Manager: Disabled

---

No disabled devices found.


-- Scheduled Tasks

---

2008-04-20 00:40:00 662

---

n--- C:\WINDOWS\Tasks\Update Services synchronization task.job
2008-04-19 23:45:00 628

---

n--- C:\WINDOWS\Tasks\Update Services auto approval task.job
2008-04-19 15:45:01 820

---

n--- C:\WINDOWS\Tasks\Update Services configuration task.job
2008-04-19 10:09:02 410

---

n--- C:\WINDOWS\Tasks\At1.job
2008-04-18 12:00:15 764

---

n--- C:\WINDOWS\Tasks\ShadowCopyVolume{8720590c-e535-11dc-b65f-001d09ef7d9e}.job


-- Files created between 2008-03-29 and 2008-04-29

---

2008-04-29 18:06:30 0 d

---

C:\Documents and Settings\itradmin\Application Data\BACS.exe
2008-04-29 18:03:32 0 d

---

c- C:\WINDOWS\system32\DRVSTORE
2008-04-29 18:03:29 0 d

---

C:\Program Files\Broadcom
2008-04-29 18:02:50 0 d

---

C:\WINDOWS\Downloaded Installations
2008-04-29 17:51:30 86016 --a

---

C:\WINDOWS\system32\DellSPMsg.dll <Not Verified; Dell, Inc.; Change Management SDK>
2008-04-29 17:40:59 0 d

---

Z:\Deckard
2008-04-29 16:25:41 48585 --a

---

C:\WINDOWS\system32\adsmsextb.sys
2008-04-29 16:25:38 23040 --ahs---- C:\WINDOWS\system32\adminpakd.dll
2008-04-29 16:25:08 47104 --a

---

C:\WINDOWS\system32\interns32.dll <Not Verified; Jit; >
2008-04-29 16:25:08 1 --a

---

C:\WINDOWS\system32\es.dat
2008-04-29 16:24:35 564 --a-s---- C:\WINDOWS\system32\3104473310.dat
2008-04-29 16:24:32 37888 -r-hs---- C:\WINDOWS\system32\alrsvcp.exe
2008-04-29 13:34:48 196608 --a

---

C:\WINDOWS\system32\Riex.exe
2008-04-29 13:34:48 135168 --a

---

C:\WINDOWS\system32\MyVT.dll
2008-04-29 13:34:48 106496 --a

---

C:\WINDOWS\system32\BeGy.dll
2008-04-29 13:34:35 81920 --a

---

C:\WINDOWS\system32\WyCK.dll
2008-04-28 12:48:54 0 d

---

C:\Program Files\Trend Micro
2008-04-28 12:36:16 0 d

---

C:\WINDOWS\pss
2008-04-28 12:17:52 139

---

n--- C:\WINDOWS\wuasirvy.dll
2008-04-28 12:17:32 119808

---

n--- C:\WINDOWS\system32\drivers\Vnh31.sys
2008-04-28 11:29:52 0 d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem
2008-04-28 10:32:18 0 d--hs---- C:\Documents and Settings\administrator.DTRYAN\Application Data\wsnpoem
2008-04-24 21:34:27 31744

---

n--- C:\WINDOWS\system32\sms22ivyiv.dll
2008-04-24 13:10:48 0

---

n--- C:\WINDOWS\system32\123.dll
2008-04-23 21:40:10 1695

---

n--- C:\WINDOWS\system32\clbcfg.dat
2008-04-23 05:52:52 6656

---

n--- C:\WINDOWS\system32\drivers\clbdriver.sys
2008-04-23 05:52:52 28160

---

n--- C:\WINDOWS\system32\clbdll.dll
2008-04-21 12:08:54 0 d

---

C:\WINDOWS\system32\directx
2008-04-21 10:50:07 0 d

---

C:\Documents and Settings\itradmin\Application Data\AdobeUM
2008-04-21 10:50:01 0 d

---

C:\Documents and Settings\itradmin\Application Data\Adobe
2008-04-21 10:48:47 0 d---s---- C:\Documents and Settings\itradmin\UserData
2008-04-10 15:21:32 25472 --a

---

C:\WINDOWS\system32\drivers\Piw12.sys
2008-04-07 10:40:07 0 d---s---- C:\Documents and Settings\administrator.DTRYAN\UserData


-- Find3M Report

---

2008-04-29 18:31:21 0 d

---

C:\Program Files\SAV
2008-03-12 11:13:40 0 d

---

C:\Program Files\RealVNC
2008-03-06 01:30:02 0 d

---

C:\Program Files\Microsoft ISA Server
2008-03-05 14:28:56 0 d

---

C:\Program Files\Microsoft SQL Server
2008-03-05 14:20:51 0 d

---

C:\Program Files\Symantec
2008-03-05 14:20:47 0 d

---

C:\Program Files\Common Files\Symantec Shared
2008-02-29 17:40:36 0 d

---

C:\Program Files\Common Files\VERITAS shared
2008-02-29 11:58:47 0 d

---

C:\Program Files\Common Files\Adobe
2008-02-29 11:16:36 664

---

n--- Z:\WIND
2008-02-26 16:26:55 21160

---

n--- C:\WINDOWS\system32\emptyregdb.dat
2008-02-26 16:25:07 62 ---hs---- C:\Documents and Settings\itradmin\Application Data\desktop.ini
2008-02-26 16:16:12 8192

---

n--- C:\WINDOWS\system32\scerpt.dll
2008-02-26 16:16:12 43423

---

n--- C:\WINDOWS\system32\hl.dat


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.exe" [04/25/2005 02:45 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SAV\VPTray.exe" [09/27/2006 09:33 PM]
"bacstray"="C:\Program Files\Broadcom\BACS\BacsTray.exe" [03/12/2008 11:02 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 11:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 04/23/2007 12:53 PM 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli dsrestor

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fweng.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IpFilterDriver.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Piw12.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCore]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=&quot;Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@=&quot;Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3D7B]
C:\WINDOWS\TEMP\3D7B.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]
C:\DOCUME~1\ADMINI~1.DTR\LOCALS~1\Temp\2F0D.tmp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
iissvcs w3svc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
swprv swprv

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser



-- End of Deckard's System Scanner: finished at 2008-04-29 18:39:04

---

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

---

-- System Information

---

Microsoft(R) Windows(R) Server 2003 for Small Business Server (build 3790) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz
CPU 1: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 2047.27 MiB / 672.95 MiB
Pagefile Memory (total/avail): 3943.96 MiB / 1995.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.42 MiB

C: is Fixed (NTFS) - 39.31 GiB total, 26.95 GiB free.
is CDROM (CDFS)
S: is Fixed (NTFS) - 232.9 GiB total, 209.65 GiB free.
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - DELL PERC 5/i Adapter SCSI Disk Device - 272.24 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 39.31 GiB - C:
\PARTITION2 - Installable File System - 232.9 GiB - S:



-- Security Center

---

Windows Internal Firewall is disabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables

---

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\itradmin\Application Data
CLASSPATH=C:\Program Files\VERITAS\Backup Exec\NT\ECM\bumodule.jar;C:\Program Files\VERITAS\Backup Exec\NT\ECM\LOG4J-CORE.JAR;C:\Program Files\VERITAS\Backup Exec\NT\ECM\LOG4J.JAR;.
ClusterLog=C:\WINDOWS\Cluster\cluster.log
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NTSERVER01
ComSpec=C:\WINDOWS\system32\cmd.exe
EXCHICONS=C:\Program Files\Exchsrvr\bin\maildsmx.dll
FP_NO_HOST_CHECK=NO
HOMEDRIVE=Z:
HOMEPATH=\
HOMESHARE=\\NTSERVER01\users\ITRADMIN
LOGONSERVER=\\NTSERVER01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Support Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Windows Small Business Server\Networking\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SBSProgramDir=C:\Program Files\Microsoft Windows Small Business Server
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\itradmin\LOCALS~1\Temp
TMP=C:\DOCUME~1\itradmin\LOCALS~1\Temp
USERDNSDOMAIN=DTRYAN.COM
USERDOMAIN=DTRYAN
USERNAME=itradmin
USERPROFILE=C:\Documents and Settings\itradmin
windir=C:\WINDOWS
winsbprogramdir=C:\Program Files\Windows for Small Business Server


-- User Profiles

---

Administrator.NTSERVER01 (admin)
Administrator (admin)
itradmin (admin)
administrator.DTRYAN (admin)


-- Add/Remove Programs

---

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Broadcom Drivers and Management Applications --> MsiExec.exe /I{C97C77C4-10BD-4CCA-B781-116105001E75}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
LiveUpdate 3.3 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft .NET Framework 1.1 -- Device Update 4.0 --> MsiExec.exe /X{A34AC564-B4A3-4D45-B969-403BC39F0E6A}
Microsoft .NET Framework 2.0 --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft File Server Migration Toolkit --> MsiExec.exe /X{B3A13E73-97CB-11D8-A171-505054503030}
Microsoft Group Policy Management Console with SP1 --> MsiExec.exe /I{CA3553E0-191B-4E2F-AD3C-82E33CB9D4E4}
Microsoft Health Monitor 2.1 --> "C:\WINDOWS\system32\WBEM\HealthMonitor\UNINSTAL.EXE" "C:\WINDOWS\system32\WBEM\HealthMonitor\INSTALL.LOG" "Microsoft Health Monitor 2.1 Uninstall"
Microsoft ISA Server 2004 --> C:\Program Files\Microsoft ISA Server\Uninstall\SetupWrapper.exe /I
Microsoft ISA Server 2004 --> MsiExec.exe /I{0AC95D97-1B75-4AC7-B061-F21E379FF809}
Microsoft ISA Server Standard Edition 2004 Service Pack 1 --> msiexec /i {0AC95D97-1B75-4AC7-B061-F21E379FF809} MSIPATCHREMOVE={211BCDA8-310E-493A-98F2-97D239B68AC9} /qb
Microsoft SQL Server Desktop Engine (BKUPEXEC) --> MsiExec.exe /X{689404D2-1C94-44B3-9203-BEC5594FDA7A}
Microsoft SQL Server Desktop Engine (Microsoft ISA Server 2004 instance) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft SQL Server Desktop Engine (MSFW) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft SQL Server Desktop Engine (SBSMonitoring) --> MsiExec.exe /X{B7300824-E68F-45F1-BAC1-5F15636C346F}
Microsoft SQL Server Desktop Engine (Sharepoint) --> MsiExec.exe /X{65657C59-23A8-4974-B8E0-BA04EBD04E4F}
Microsoft SQL Server Desktop Engine (WSUS) --> MsiExec.exe /X{83BC1BC2-FCC4-4CED-8A3C-EB7CDFB3CF6A}
Microsoft Windows Server Update Services Service Pack 1 --> C:\Program Files\Update Services\Setup\WusSetup.exe /u
Microsoft Windows SharePoint Services 2.0 --> MsiExec.exe /I{91140409-7000-11D3-8CFE-0150048383C9}
MSXML 6.0 Parser --> MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
Reporting Agents (Symantec Corporation) --> MsiExec.exe /I{E0B27188-A15E-4C64-AE49-85E8EF46184B}
Symantec AntiVirus --> MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
Symantec Backup Exec (TM) 10d for Windows Servers --> C:\WINDOWS\Installer\{B85BA2E5-BD10-4B9D-AE29-BC11947A834D}\setup.exe /X
Symantec Backup Exec for Windows Servers --> MsiExec.exe /X{B85BA2E5-BD10-4B9D-AE29-BC11947A834D}
Symantec Mail Security for Microsoft Exchange --> MsiExec.exe /X{C09CA846-A25D-4E7F-84BC-C15399C33014}
Symantec System Center --> MsiExec.exe /I{474D0370-D5D2-4450-AAEC-AF753A11422D}
Symantec System Center --> MsiExec.exe /I{474D0370-D5D2-4450-AAEC-AF753A11422D}
VERITAS Update --> MsiExec.exe /I{C8885E66-9862-4CEE-ADC4-F4769598C795}
VNC 4.0 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Small Business Server 2003 --> C:\Program Files\Microsoft Integration\Windows Small Business Server 2003\setup.exe
Windows Small Business Server 2003 R2 --> C:\Program Files\Microsoft Windows Small Business Server\UpdateServices\Uninstall.exe
Windows Support Tools --> MsiExec.exe /I{F07F0BCD-5C6D-4499-9F05-6ED747078A72}
Windows Update Agent Self update --> MsiExec.exe /I{7CBC545F-32A8-4206-AE00-7B208E210140}


-- Application Event Log

---

No Errors/Warnings found.


-- Security Event Log

---

No Errors/Warnings found.


-- System Event Log

---

No Errors/Warnings found.


-- End of Deckard's System Scanner: finished at 2008-04-29 18:39:04

---

ActorSeeksJob

Lot of malware still there

Please download DAFT and save it to your desktop:

1. Double-click the daft.exe icon.
2. Click on the Scan button.
3. Select everything it is displaying there
4. Click the Fix button.
5. Then rescan with DAFT again - it should say now that "All associations are OK"
6. Close DAFT if you receive that message. This means that it is fixed now.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  [kill explorer]
  C:\WINDOWS\system32\adsmsextb.sys
  C:\WINDOWS\system32\adminpakd.dll
  C:\WINDOWS\system32\interns32.dll
  C:\WINDOWS\system32\es.dat
  C:\WINDOWS\system32\3104473310.dat
  C:\WINDOWS\system32\alrsvcp.exe
  C:\WINDOWS\system32\Riex.exe
  C:\WINDOWS\system32\MyVT.dll
  C:\WINDOWS\system32\BeGy.dll
  C:\WINDOWS\system32\WyCK.dll
  C:\WINDOWS\wuasirvy.dll
  C:\WINDOWS\system32\drivers\Vnh31.sys
  C:\WINDOWS\system32\sms22ivyiv.dll
  C:\WINDOWS\system32\123.dll
  C:\WINDOWS\system32\clbcfg.dat
  C:\WINDOWS\system32\drivers\clbdriver.sys
  C:\WINDOWS\system32\clbdll.dll
  C:\WINDOWS\system32\drivers\Piw12.sys
  C:\WINDOWS\system32\scerpt.dll
  C:\WINDOWS\system32\hl.dat
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3D7B
  C:\WINDOWS\TEMP\3D7B.exe
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate
  C:\DOCUME~1\ADMINI~1.DTR\LOCALS~1\Temp\2F0D.tmp.exe
  c:\windows\system32\drivers\asc3550f.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
  purity 
  [start explorer]
  

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot and post a new DSS log