Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows 2003 Server with Backdoor Trojan

Started by rahanna , Sep 01 2012 12:09 PM

  • Please log in to reply

#31
RKinner
Posted 03 September 2012 - 07:31 PM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
Looking under Everything go down and uncheck each of the following:

Under \Run

XXXXXX87FC2E28 File not found: C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe

Under Installed Components:

n/a 360安全衛士 隔離區模組 360.cn c:\documents and settings\administrator.stone-tapert\windows:360updata.exe

Under Components

0 File not found: About:Home

Under Services
Ias File not found: C:\WINDOWS\Temp\ntshrui.dll.
Iprip File not found: C:\WINDOWS\Temp\ntshrui.dll.
Irmon File not found: C:\WINDOWS\Temp\ntshrui.dll.
NWCWorkstation File not found: C:\WINDOWS\Temp\ntshrui.dll.
Nwsapagent File not found: C:\WINDOWS\Temp\ntshrui.dll.
TrkSvr File not found: C:\WINDOWS\Temp\ntshrui.dll.
VPREMOTE File not found: C:\TEMP\Clt-Inst\vpremote.exe
WinHttpAutoProxySvc File not found: winhttp.dll
WmdmPmSp File not found: C:\WINDOWS\Temp\ntshrui.dll.
º́³¾Íø°² File not found: C:\WINDOWS\Temp\ntshrui.dll.

Under Services

55A71E73 File not found: C:\WINDOWS\system32\55A71E73.sys
sicomu File not found: System32\drivers\dnlg.sys
55A71E73 File not found: C:\WINDOWS\system32\55A71E73.sys

Close Autoruns. Reboot

Attempt to delete

c:\documents and settings\administrator.stone-tapert\windows:360updata.exe
C:\WINDOWS\System32\xp1.exe
C:\WINDOWS\System32\xpNET4.0.exe
C:\xp1.exe
C:\xpNET4.0.exe

Run autoruns again and save it as before and attach it.
  • 0

Advertisements

#32
rahanna
Posted 03 September 2012 - 08:59 PM

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ...

OK, I ahve unckecked all the items and rebooted ...

I still get the error message at the Login Screen [One of the services did not load]

I managed to delete the following files:

C:\WINDOWS\System32\xp1.exe
C:\WINDOWS\System32\xpNET4.0.exe

But couldn't find the files:

c:\documents and settings\administrator.stone-tapert\windows:360updata.exe
C:\xp1.exe
C:\xpNET4.0.exe

I have attached the new AutoRun report for you to check and also a screenshot ...

Thanks,

Attached Files


  • 0

#33
rahanna
Posted 03 September 2012 - 10:44 PM

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I have just noticed a new User account [ siweb$ ] created under c:\Documents and Settings

See attached screenshot that shows a date of 9/3/2012 @ 8:51pm

What do you thing is happening in the background ???

Please let me know what need sto be done next ...

Thanks,

Attached Thumbnails

  • Server_NewUser.JPG

  • 0

#34
RKinner
Posted 03 September 2012 - 10:52 PM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
Uncheck the top one:

usrlogon.cmd c:\windows\system32\usrlogon.cmd

Also uncheck

JQSIEStartDetectorImpl Class File not found: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys

wow64 File not found: C:\WINDOWS\system32\wow64.dll
wow64cpu File not found: C:\WINDOWS\system32\wow64cpu.dll
wow64win File not found: C:\WINDOWS\system32\wow64win.dll
AtiExtEvent File not found: Ati2evxx.dll

then reboot. I think you got it.
  • 0

#35
RKinner
Posted 03 September 2012 - 10:54 PM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
Get rid of the new login too.
  • 0

#36
rahanna
Posted 03 September 2012 - 11:29 PM

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ...

I think that the usrlogon.cmd c:\windows\system32\usrlogon.cmd

is related to the Terminal Services installed on this Domain Controller ...

Do you think that the new Users are created automatically when someone tries to log from the outside using Terminal Services and that why the temp user name is preceeded by [ $ ] sighn ???

Please see the attached screenshots for the New Users created and their Membership properties ...

Also, I ran AutoRuns and attached the report before rebooting the server ... Now it is rebooting ...

What do you think we should do next ??? ... I think we're pretty close ...

Thanks again,

Attached Thumbnails

  • Server_UsersProperties.JPG

Attached Files


  • 0

#37
RKinner
Posted 04 September 2012 - 12:28 AM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
usrlogon.cmd should be something you can open in notepad so try that and let's see what it says.

I really have very little experience with terminal servers. The last one I worked on was an NT. IF you think that the funny names are OK then fine.

I wondering about this file:

c:\documents and settings\administrator.stone-tapert\windows:360updata.exe

It did not say it couldn't find it so it must be there. The : means an alternate data stream so all you would really see is a file or folder named windows. Oddly enough you can use notepad to open and modify alternate data streams so if you type:

cd "\documents and settings\administrator.stone-tapert"

notepad windows:360updata.exe

It will probably open the file and show you a bunch of meaningless garbage because it's a binary. You can select All of it then delete and maybe type: junk then close notepad and save the file.

IF it appears that the malware is gone, I would make everyone change their passwords (including your administrator password) because they could have been compromised.
  • 0

#38
rahanna
Posted 04 September 2012 - 09:40 AM

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ...

OK ... Since everyone is back to the work schedule, I will need to wait until after 5pm ...

I ran MalwareBytes yesterday night and it came clean ...

Should I keep it on the Server or take it off ???

I will keep you posted of my findings ...

Thanks,
  • 0

#39
RKinner
Posted 04 September 2012 - 10:35 AM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
It doesn't hurt to keep MBAM on a PC. Did you find the file: c:\documents and settings\administrator.stone-tapert\windows ?
  • 0

#40
rahanna
Posted 04 September 2012 - 09:01 PM

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... It seems that this thing is coming back again ...

Without any reboot, Malwarebytes popped a messages with a Trojan.Agent.Gen

2012/09/04 01:06:35 -0700 ST-SERVER st_admin IP-BLOCK 109.230.213.147 (Type: incoming)
2012/09/04 01:06:38 -0700 ST-SERVER st_admin IP-BLOCK 109.230.213.147 (Type: incoming)
2012/09/04 01:06:44 -0700 ST-SERVER st_admin IP-BLOCK 109.230.213.147 (Type: incoming)
2012/09/04 13:03:07 -0700 ST-SERVER st_admin IP-BLOCK 222.186.24.91 (Type: incoming)
2012/09/04 14:56:51 -0700 ST-SERVER st_admin DETECTION C:\RECYCLER\hexmxwl.exe Trojan.Agent QUARANTINE
2012/09/04 14:56:51 -0700 ST-SERVER st_admin ERROR Quarantine failed: SDKQuarantine failed with error code 0


The folder c:\Recycler contains the Trojan and it seems that Malwarebytes failed to quarantine it ...

Luckily, I have 3-hrs to work on the server tonight so hopefully we can get rid of it ...

Some new [ exe ] files started showing on the Root of Drive-C (See attached screenshot)

I ran another OTL and here are the results ... So what do you think needs to be done ???

Appreciate your help ... Thanks,


OTL logfile created on: 9/4/2012 7:40:10 PM - Run 6
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Dell
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTDomainController
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.79 Gb Available Physical Memory | 39.43% Memory free
5.35 Gb Paging File | 3.74 Gb Available in Paging File | 69.84% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 135.41 Gb Total Space | 90.88 Gb Free Space | 67.11% Space Free | Partition Type: NTFS
Drive D: | 544.49 Gb Total Space | 159.63 Gb Free Space | 29.32% Space Free | Partition Type: NTFS

Computer Name: ST-SERVER | User Name: st_admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/04 12:54:48 | 000,116,224 | ---- | M] (广东一一五科技有限公司) -- C:\WINDOWS\system32\smxwl.exe
PRC - [2012/09/01 12:25:50 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Dell\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
PRC - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/05/13 00:14:32 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/13 00:14:28 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
PRC - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe
PRC - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
PRC - [2008/08/28 23:47:40 | 003,259,688 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer.exe
PRC - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe
PRC - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
PRC - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
PRC - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
PRC - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
PRC - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
PRC - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\bengine.exe
PRC - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beserver.exe
PRC - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\beremote.exe
PRC - [2007/02/18 05:00:00 | 001,414,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2007/02/18 05:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe
PRC - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe
PRC - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe
PRC - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2007/02/18 05:00:00 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scrnsave.scr
PRC - [2007/02/18 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\w3wp.exe
PRC - [2007/02/17 07:03:56 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
PRC - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\benetns.exe
PRC - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe
PRC - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
PRC - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Exchsrvr\bin\exmgmt.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/03 22:29:25 | 000,024,665 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\89f4ac43ba2b792785d9d472365e562b.dll
MOD - [2012/09/03 22:29:25 | 000,020,585 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\0a6b9f23e356336cc61530f586d0c66a.dll
MOD - [2012/09/03 22:29:23 | 000,028,767 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\b2774d247dfbf0abe8539e577ee59b4c.dll
MOD - [2012/09/03 22:29:22 | 000,028,789 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\36971e8ed4d19cc0a7051079b039c204.dll
MOD - [2012/09/03 22:29:21 | 000,028,787 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\1ff4eae997b1753d848dbbc61d1b4345.dll
MOD - [2012/09/03 22:29:20 | 000,036,981 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\31aa023220b46a62dd91739a3bf1cad4.dll
MOD - [2012/09/03 22:29:19 | 000,077,941 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\7aace6f21e4c397996b145b7fd777643.dll
MOD - [2012/09/03 22:29:19 | 000,032,873 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\8d3b343ab48cfb6b14fa9d0dc35ce9e6.dll
MOD - [2012/09/03 22:29:18 | 000,024,675 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\7acaa276f32e012922082aa697dfa218.dll
MOD - [2012/09/03 22:29:17 | 000,024,671 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\44abde5de65f3f034faac2c132713018.dll
MOD - [2012/09/03 22:29:17 | 000,020,571 | R--- | M] () -- C:\WINDOWS\Temp\pdk-SYSTEM-3092\42db37dadb779dbfc5da8bdd7ec61c52.dll
MOD - [2012/07/10 11:01:50 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll
MOD - [2012/07/10 11:00:43 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/07/10 10:59:36 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/07/10 10:59:34 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/07/10 10:59:33 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/07/10 10:59:28 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/07/10 10:59:25 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/07/10 10:59:24 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/07/10 10:59:22 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/07/10 10:59:07 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2012/05/31 23:16:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/31 23:04:26 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/31 23:04:20 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/31 23:04:12 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/31 23:04:01 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2009/02/01 22:01:12 | 000,755,120 | ---- | M] () -- \\?\C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\secars.dll
MOD - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
MOD - [2008/08/12 09:39:44 | 000,136,472 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\invmib32.dll
MOD - [2008/08/12 09:39:00 | 000,042,776 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\omaep32.dll
MOD - [2008/05/01 21:15:37 | 000,010,240 | ---- | M] () -- D:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2007/03/30 07:45:46 | 000,800,256 | ---- | M] () -- C:\Program Files\Dell\SysMgt\oma\bin\libxml2.dll
MOD - [2007/02/18 05:00:00 | 000,355,112 | ---- | M] () -- C:\WINDOWS\system32\msjetoledb40.dll
MOD - [2007/02/18 05:00:00 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2006/06/06 12:08:08 | 000,393,216 | R--- | M] () -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\jslic.dll
MOD - [2005/11/14 16:43:58 | 000,029,152 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\FSPPMFP.DLL
MOD - [2002/05/03 09:40:32 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (WmdmPmSp)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wins.exe -- (WINS)
SRV - File not found [Disabled | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - File not found [Disabled | Stopped] -- C:\TEMP\Clt-Inst\vpremote.exe -- (VPREMOTE)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (TrkSvr)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (º́³¾Íø°²)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Nwsapagent)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (NWCWorkstation)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Irmon)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Iprip)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll. -- (Ias)
SRV - [2012/09/04 12:54:48 | 000,116,224 | ---- | M] (广东一一五科技有限公司) [Auto | Running] -- C:\WINDOWS\system32\smxwl.exe -- (DSLservwdw)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/03/11 01:00:51 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/01/30 05:39:57 | 000,450,560 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [On_Demand | Stopped] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2009/08/05 14:06:38 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\AdventNet\ME\NetFlow\bin\wrapper.exe -- (netflowanalyzer)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/13 00:14:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/05/13 00:14:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/05/13 00:14:24 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/05/13 00:14:21 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/02/01 22:00:56 | 000,234,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe -- (semsrv)
SRV - [2009/01/18 18:31:14 | 000,455,960 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/10/14 13:20:12 | 000,024,576 | R--- | M] (Client Marketing Systems, Inc.) [Auto | Running] -- C:\Program Files\Client Marketing Systems\Advisors Assistant Server Component\AASCServer.exe -- (AAService)
SRV - [2008/09/05 12:03:06 | 000,069,632 | ---- | M] (LSI Logic Corporation) [Auto | Running] -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe -- (mr2kserv)
SRV - [2008/08/28 23:29:38 | 000,181,544 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer3\TeamViewer_Service.exe -- (TeamViewer)
SRV - [2008/08/12 09:47:10 | 000,075,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- (Server Administrator)
SRV - [2008/08/12 09:40:20 | 000,021,784 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe -- (omsad)
SRV - [2008/08/05 19:26:00 | 000,153,560 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe -- (dcevt32)
SRV - [2008/08/05 19:25:54 | 000,198,616 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe -- (dcstor32)
SRV - [2008/05/14 12:31:04 | 000,083,248 | R--- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe -- (ASANYs_sem5)
SRV - [2007/11/19 14:49:16 | 002,824,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\bengine.exe -- (BackupExecJobEngine)
SRV - [2007/11/07 13:00:04 | 005,043,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beserver.exe -- (BackupExecRPCService)
SRV - [2007/05/23 12:06:06 | 000,712,464 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,216,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2007/02/18 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/02/18 05:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2007/02/17 07:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/17 07:03:43 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
SRV - [2007/02/17 07:03:10 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Sens32.dll -- (SENS)
SRV - [2006/10/30 07:50:27 | 000,175,744 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\benetns.exe -- (BackupExecAgentBrowser)
SRV - [2006/09/28 11:48:18 | 001,048,704 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Program Files\Symantec\Backup Exec\pvlsvr.exe -- (BackupExecDeviceMediaService)
SRV - [2006/09/27 14:17:54 | 001,324,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe -- (Reporting)
SRV - [2006/09/20 04:34:40 | 000,126,976 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\wrapper.exe -- (OpManager)
SRV - [2005/08/25 19:10:02 | 003,217,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Exchsrvr\bin\exmgmt.exe -- (MSExchangeMGMT)
SRV - [2003/11/26 07:52:46 | 000,020,541 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\AdventNet\ME\OpManager\apache\bin\Apache.exe -- (ManageEngineOpManagerApache)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Stopped] -- System32\drivers\dnlg.sys -- (sicomu)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.STO\LOCALS~1\Temp\2\cpuz133\cpuz133_x32.sys -- (cpuz133)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\55A71E73.sys -- (55A71E73)
DRV - [2012/08/20 01:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120903.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/20 01:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120903.017\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/08 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/05/29 03:07:18 | 000,021,504 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\percsas.sys -- (percsas)
DRV - [2010/02/05 21:03:36 | 000,018,080 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QLTOx32.sys -- (QLTOx32)
DRV - [2009/06/13 17:05:23 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/06/13 17:05:23 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/06/13 17:05:09 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snman380.sys -- (snapman380)
DRV - [2009/05/13 15:26:04 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/05/13 00:14:35 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/05/13 00:14:34 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/05/13 00:14:34 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/05/13 00:14:32 | 000,038,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WGX.SYS -- (WGX)
DRV - [2009/05/13 00:14:07 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/07/30 13:00:18 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\SNMP\BASFND.sys -- (BASFND)
DRV - [2008/05/14 14:04:26 | 000,054,784 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bxnd52x.sys -- (l2nd)
DRV - [2008/05/01 21:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- D:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/01/14 10:13:54 | 000,025,088 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dcdbas32.sys -- (dcdbas)
DRV - [2008/01/11 00:31:06 | 000,014,848 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\QDLTx32.sys -- (QDLTx32)
DRV - [2007/02/18 05:00:00 | 000,221,696 | ---- | M] (Agilent Technologies) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\afcnt.sys -- (afcnt)
DRV - [2007/02/18 05:00:00 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
DRV - [2007/02/18 05:00:00 | 000,154,624 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2200.sys -- (ql2200)
DRV - [2007/02/18 05:00:00 | 000,130,560 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ql2100.sys -- (ql2100)
DRV - [2007/02/18 05:00:00 | 000,113,664 | ---- | M] (Emulex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\lp6nds35.sys -- (lp6nds35)
DRV - [2007/02/18 05:00:00 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2007/02/18 05:00:00 | 000,069,632 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqfcalm.sys -- (cpqfcalm)
DRV - [2007/02/18 05:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
DRV - [2007/02/18 05:00:00 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)
DRV - [2007/02/18 05:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\hpt3xx.sys -- (hpt3xx)
DRV - [2007/02/18 05:00:00 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
DRV - [2007/02/18 05:00:00 | 000,027,648 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\ipsraidn.sys -- (ipsraidn)
DRV - [2007/02/18 05:00:00 | 000,024,064 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dpti2o.sys -- (dpti2o)
DRV - [2007/02/18 05:00:00 | 000,022,016 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dellcerc.sys -- (dellcerc)
DRV - [2007/02/18 05:00:00 | 000,018,432 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqcissm.sys -- (cpqcissm)
DRV - [2007/02/18 05:00:00 | 000,016,384 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarray.sys -- (Cpqarray)
DRV - [2007/02/18 05:00:00 | 000,015,360 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cpqarry2.sys -- (cpqarry2)
DRV - [2007/02/15 02:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 02:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/09/18 15:23:34 | 000,031,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpfilter.sys -- (tpfilter)
DRV - [2006/09/12 11:26:16 | 000,031,872 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VirtFile.sys -- (VirtFile)
DRV - [2006/09/05 18:16:14 | 000,037,760 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\halfinch.sys -- (halfinchVRTS)
DRV - [2006/05/03 16:08:20 | 000,019,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SCSICHNG.SYS -- (SCSIChanger)
DRV - [2006/04/20 17:31:38 | 001,379,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/19 11:12:22 | 000,067,072 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2005/03/24 18:55:32 | 000,343,424 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpad.sys -- (ati2mpad)
DRV - [2004/01/06 16:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




O1 HOSTS File: ([2012/09/01 13:33:33 | 000,000,899 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s File not found
O4 - HKLM..\Run: [XXXXXX87FC2E28] C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe File not found
O4 - HKCU..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stone-tapert.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F0DECE3-5FFC-42B5-B543-0EA70D88C1B3}: NameServer = 192.168.1.130,192.168.1.150
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop Components:AutorunsDisabled () -
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINDOWS\System32\pwdssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/02 18:00:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/04 12:54:46 | 000,116,224 | ---- | C] (广东一一五科技有限公司) -- C:\WINDOWS\System32\smxwl.exe
[2012/09/04 12:54:44 | 000,116,224 | ---- | C] (广东一一五科技有限公司) -- C:\bootmxwl.exe
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\NirSoft ShellExView
[2012/09/03 13:23:50 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2012/09/02 13:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\Old
[2012/09/02 13:06:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/01 20:52:29 | 000,121,368 | ---- | C] (DameWare Development LLC) -- C:\WINDOWS\System32\DNTUS26.EXE
[2012/09/01 13:34:55 | 000,000,000 | ---D | C] -- C:\Old
[2012/09/01 12:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\My Documents\Exchange Task Wizard Logs
[2012/08/31 19:01:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Administrative Tools
[2012/08/31 18:52:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IECompatCache
[2012/08/31 18:52:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\PrivacIE
[2012/08/31 18:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Identities
[2012/08/31 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\WINDOWS
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\st_admin\Application Data\Microsoft
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\SendTo
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Recent
[2012/08/31 17:50:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\st_admin\Application Data
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Startup
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\My Documents
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Favorites
[2012/08/31 17:50:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\st_admin\Start Menu\Programs\Accessories
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\IETldCache
[2012/08/31 17:50:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\st_admin\Cookies
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Templates
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\PrintHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\NetHood
[2012/08/31 17:50:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\st_admin\Local Settings
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\Symantec
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Local Settings\Application Data\PCHealth
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Malwarebytes
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Macromedia
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Application Data\Adobe
[2012/08/31 17:50:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\st_admin\Desktop\AATS
[2012/08/29 21:33:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/08/29 06:02:11 | 000,000,000 | ---D | C] -- C:\Dell
[2012/08/28 17:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 3
[2012/08/28 17:21:27 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer3
[2012/08/27 20:09:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\dwrcssft
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/04 12:55:24 | 000,000,000 | ---- | M] () -- C:\hexmxwl.exe
[2012/09/04 12:55:22 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\hexmxwl.exe
[2012/09/04 12:54:48 | 000,116,224 | ---- | M] (广东一一五科技有限公司) -- C:\WINDOWS\System32\smxwl.exe
[2012/09/04 12:54:47 | 000,000,064 | ---- | M] () -- C:\shmxwl.exe
[2012/09/04 12:54:45 | 000,116,224 | ---- | M] (广东一一五科技有限公司) -- C:\bootmxwl.exe
[2012/09/04 12:54:39 | 000,000,067 | ---- | M] () -- C:\xpmxwl.exe
[2012/09/04 12:54:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\xpmxwl.exe
[2012/09/04 12:00:12 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job
[2012/09/04 12:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/04 10:59:36 | 000,000,063 | ---- | M] () -- C:\WINDOWS\System32\shDanRan.exe
[2012/09/04 10:59:25 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\onfDanRan.dat
[2012/09/04 01:17:37 | 000,950,174 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/04 01:17:37 | 000,240,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/03 22:34:26 | 001,172,698 | ---- | M] () -- C:\WINDOWS\System32\besnmp.TRC
[2012/09/03 22:26:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/03 19:43:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/01 13:33:33 | 000,000,899 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/31 23:26:10 | 000,001,716 | -H-- | M] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 19:38:11 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/31 19:26:33 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/31 18:47:30 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 17:48:59 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2012/08/28 21:23:16 | 000,002,838 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/08/27 21:11:40 | 000,065,536 | ---- | M] () -- C:\WINDOWS\NETLOGON.CHG
[2012/08/27 20:09:55 | 000,000,713 | ---- | M] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:06 | 000,689,826 | ---- | M] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:43 | 001,861,240 | ---- | M] () -- C:\Program Files\DNS.zip
[2012/08/17 17:33:42 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/04 12:55:24 | 000,000,000 | ---- | C] () -- C:\hexmxwl.exe
[2012/09/04 12:55:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\hexmxwl.exe
[2012/09/04 12:54:47 | 000,000,064 | ---- | C] () -- C:\shmxwl.exe
[2012/09/04 12:54:39 | 000,000,067 | ---- | C] () -- C:\xpmxwl.exe
[2012/09/04 12:54:39 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\xpmxwl.exe
[2012/09/04 10:59:36 | 000,000,063 | ---- | C] () -- C:\WINDOWS\System32\shDanRan.exe
[2012/09/04 10:59:25 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\onfDanRan.dat
[2012/08/31 23:26:32 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Remote Desktop Connection.lnk
[2012/08/31 23:24:00 | 000,001,716 | -H-- | C] () -- C:\Documents and Settings\st_admin\My Documents\Default.rdp
[2012/08/31 18:55:05 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Event Viewer.lnk
[2012/08/31 18:47:30 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\st_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/31 18:47:30 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Internet Explorer.lnk
[2012/08/31 18:47:14 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Outlook Express.lnk
[2012/08/31 17:50:11 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\st_admin\Desktop\Job Monitor.lnk
[2012/08/31 17:50:10 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\st_admin\Start Menu\Programs\Remote Assistance.lnk
[2012/08/27 20:09:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2012/08/23 00:45:05 | 000,689,826 | ---- | C] () -- C:\Program Files\TCPM.zip
[2012/08/23 00:34:41 | 001,861,240 | ---- | C] () -- C:\Program Files\DNS.zip
[2012/06/04 01:48:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/06/04 01:48:00 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2012/05/31 17:16:20 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2012/05/30 23:15:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/03 10:29:13 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2006/12/22 10:52:21 | 000,002,838 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2009/06/13 17:18:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2008/11/19 12:14:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/06/29 14:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/05/14 19:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/07/14 20:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SolarWinds
[2012/08/28 21:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\st_admin\Application Data\TeamViewer
[2012/08/31 10:00:00 | 000,032,392 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
[2012/09/04 12:00:04 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{53dc1cf1-91e7-11db-9d5d-806e6f6e6963}.job
[2012/09/04 12:00:12 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\ShadowCopyVolume{69f3b6d1-590e-11de-abaa-00188b42e686}.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#41
RKinner
Posted 04 September 2012 - 09:36 PM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
This is a service which you can shut down with autoruns:

SRV - [2012/09/04 12:54:48 | 000,116,224 | ---- | M] (广东一一五科技有限公司) [Auto | Running] -- C:\WINDOWS\system32\smxwl.exe -- (DSLservwdw)

The reset we can clean with OTL.

:OTL
O4 - HKLM..\Run: [XXXXXX87FC2E28] C:\Documents and Settings\xiaopu$\WINDOWS\XXXXXX87FC2E28\svchsot.exe File not found
[2012/09/04 12:54:46 | 000,116,224 | ---- | C] (广东一一五科技有限公司) -- C:\WINDOWS\System32\smxwl.exe
[2012/09/04 12:54:44 | 000,116,224 | ---- | C] (广东一一五科技有限公司) -- C:\bootmxwl.exe
[2012/09/04 12:55:24 | 000,000,000 | ---- | M] () -- C:\hexmxwl.exe
[2012/09/04 12:55:22 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\hexmxwl.exe
[2012/09/04 12:54:48 | 000,116,224 | ---- | M] (广东一一五科技有限公司) -- C:\WINDOWS\System32\smxwl.exe
[2012/09/04 12:54:47 | 000,000,064 | ---- | M] () -- C:\shmxwl.exe
[2012/09/04 12:54:45 | 000,116,224 | ---- | M] (广东一一五科技有限公司) -- C:\bootmxwl.exe
[2012/09/04 12:54:39 | 000,000,067 | ---- | M] () -- C:\xpmxwl.exe
[2012/09/04 12:54:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\xpmxwl.exe
[2012/09/04 12:55:24 | 000,000,000 | ---- | C] () -- C:\hexmxwl.exe
[2012/09/04 12:55:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\hexmxwl.exe
[2012/09/04 12:54:47 | 000,000,064 | ---- | C] () -- C:\shmxwl.exe
[2012/09/04 10:59:36 | 000,000,063 | ---- | C] () -- C:\WINDOWS\System32\shDanRan.exe
[2012/09/04 10:59:25 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\onfDanRan.dat

:files
C:\RECYCLER\*.*
sc config DSLservwdw start= disabled /c
sc delete DSLservwdw /c
C:\Documents and Settings\xiaopu$
     
:Commands
[EMPTYJAVA]
[EMPTYFLASH]
[RESETHOSTS]
[purity]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Then run an OTL quickscan and let's see what is up.

You might try gmer and see if it runs on a server:

Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#42
rahanna
Posted 04 September 2012 - 09:52 PM

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

I ran AutoRuns and attached the results as we did before ...

My question in regards to AutoRuns, Is the Uncheck of the suspisious key enough or I should right-click and DELETE it ???

Also, the services that I have unchecked before in AutoRuns, came back again and now are checked including:

Services
Isa
Iprip
Irmon
NWCWorkstation
Nwsapagent
... etc.

Notify
Ati


So, will the DELETE clear it for good ???

Attached Files


  • 0

#43
rahanna
Posted 04 September 2012 - 09:57 PM

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

I am working remotely on the Server so won't be able to run GMER offline ...

As for running OTL with [ Run Fix ] , remember that it crashed and you relate it to Malwarebytes ...

Should I remove Malwarebytes before running OTL with the Run Fix so I don't lose my Remote Connection ???

Let me know ...

Thanks,
  • 0

#44
RKinner
Posted 04 September 2012 - 09:57 PM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
I don't use autoruns very much but it's worth trying. You also need to delete all of these:

[2012/09/04 12:54:46 | 000,116,224 | ---- | C] (广东一一五科技有限公司) -- C:\WINDOWS\System32\smxwl.exe
[2012/09/04 12:54:44 | 000,116,224 | ---- | C] (广东一一五科技有限公司) -- C:\bootmxwl.exe
[2012/09/04 12:55:24 | 000,000,000 | ---- | M] () -- C:\hexmxwl.exe
[2012/09/04 12:55:22 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\hexmxwl.exe
[2012/09/04 12:54:48 | 000,116,224 | ---- | M] (广东一一五科技有限公司) -- C:\WINDOWS\System32\smxwl.exe
[2012/09/04 12:54:47 | 000,000,064 | ---- | M] () -- C:\shmxwl.exe
[2012/09/04 12:54:45 | 000,116,224 | ---- | M] (广东一一五科技有限公司) -- C:\bootmxwl.exe
[2012/09/04 12:54:39 | 000,000,067 | ---- | M] () -- C:\xpmxwl.exe
[2012/09/04 12:54:39 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\xpmxwl.exe
[2012/09/04 12:54:47 | 000,000,064 | ---- | C] () -- C:\shmxwl.exe
[2012/09/04 10:59:36 | 000,000,063 | ---- | C] () -- C:\WINDOWS\System32\shDanRan.exe
[2012/09/04 10:59:25 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\onfDanRan.dat

and empty the recyle bin then you will need to reboot. If things don't want to delete then I would get Process Explorer.

Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures

You can use Process Explorer to kill processes like smxwl.exe
  • 0

#45
RKinner
Posted 04 September 2012 - 10:09 PM

RKinner

    Malware Expert

  • Expert
  • 24,731 posts
  • MVP
OTL crashed because I tried to have it Clear the temp files. When it does that it tries to Kill All Processes and MBAM objects to being killed. It should work this time with or without MBAM but if you want to be sure you can uninstall it first.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP