Jump to content

AWS

FPCH Admin
  • Posts

    27,570
  • Joined

  • Last visited

  • Days Won

    73

Everything posted by AWS

  1. I feel your pain. I gave up on the rebate too. I did everything they asked and so far haven't got a dime. Maybe it's in the mail.
  2. The only thing I like about Bing is the maps. I think they are the best. Google changed theirs and it just isn't very good.
  3. That's a damn good board. I built a box for a friend and that's the board I used. I put in an I3 I believe. My buddy tells me his kids love the difference from the old core 2 duo it replaced.
  4. I've got 2 of these in my main desktop. Great drives. Make sure you update the firmware as soon as you plug it in.
  5. [url= ][/url]
  6. I found the attack vector. On the server I had a site that I closed a couple years ago. It was a blog with articles and tips for Windows Server users. I used Wordpress as the software.The version of Wordpress was in the early 3.0 branch. Since that was a test server I only had port 8080 and 443 for https open, but, I had IIS shutoff so any attempts to access any site would have gone to a null route. When I took the server out of the rack when I turned on the new server for CHF I put it to the side to be used as a backup server. Once I transferred the files from the backup to it I put it back online only connected to the local network. Or so I thought. I had forgot to remove 1 of the static public IPs. Also when I rebooted it IIS turned back on and I didn't think to turn it off. Long story short a hacker tool was used that probes for vulnerable Wordpress sites, found mine and used the exploit to upload a shell. Once that happened it was a free for all. I have now removed the public IP and uninstalled IIS. Lesson learned never leave old vulnerable software open to the public.
  7. I wonder how many people actually paid the ransom. One guy at work got infected. He asked me what to do and I told him if the files aren't important don't pay it and just format and install clean. If they are of value to you I told him to pay the ransom.
  8. You're right about ESET not detecting it while online scan did. Anyway thanks for the help. I'll let it run for a few more days before I retire it
  9. What's more baffling is how the server was infected. I am the only with access to it. RDP is locked down to only allow access from local IPs and only my IPs from my main desktop and laptop. No external connections allowed. I don't use it to surf the web or open email. The only time I log in to it is to rotate backups or test code. The only site running on it is a test site that is local only. It's the old server that we used for CHF. I do know when the infection happened. It was on July 29TH at 4:56AM CST. The person who got in covered his tracks real good. The only clue was the date WinRar was installed. All event logs were cleared. I looked at my router logs and I seen a syn flood on the border router, but the DDOS protection on the load balancer mitigated that. The only thing I can think of is I might have opened up a hole with some of my code. I am working on some add ins to enhance remote management. It's either that or a zero day exploit in Windows 2008r2.
  10. That's a heck of a good buy. The new server is almost done. It will be one whale of a fast server when I put it online. I have it up and running locally burning it in now. This weekend I'll install all the services and hopefully get the site moved to it next week. I have the all 7 of the ssd's that I bought last week in it. The 240gigs in raid 10 for the database and the other 3 in raid 5 for the files.
  11. I am getting some good reports from my friend at Microsoft. He doesn't tell me as much as he used to because of the scandal a few years ago with major leaks of alpha builds of software before it was even released to internal testers. When we talk now he hints at things and I have to put the pieces together. He is a marketing guy at MS and I have never asked about any upgrade offers. I'm interested in the tech side and while he knows he isn't telling. The little I have got from him makes Windows 9 look like it could be a real killer.
  12. Rogue Killer log: RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Administrator [Admin rights] Mode : Scan -- Date : 08/04/2014 17:08:09 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 14 ¤¤¤ [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> FOUND [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> FOUND [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> FOUND [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD1001FALS-00J7B0 ATA Device +++++ --- User --- [MBR] e36b29ed5deb4d86d6431d847a232055 [bSP] 6bf05f4762bd9870a00d4f8a448a77b7 : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 483768 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 990963712 | Size: 469999 MB User = LL1 ... OK User = LL2 ... OK
  13. Fix results: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-08-2014 Ran by Administrator at 2014-08-04 16:56:18 Run:1 Running from C:\Users\Administrator\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** S2 WinQvods; C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exe -k [X] S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X] S3 MSICDSetup; \??\E:\CDriver64.sys [X] S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X] S1 qsscomnl; \??\C:\Windows\system32\drivers\qsscomnl.sys [X] S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X] S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X] S3 VMSMP; system32\DRIVERS\vmswitch.sys [X] C:\Windows\system32\rejoice.exe Hosts: ***************** WinQvods => Service deleted successfully. IntcAzAudAddService => Service deleted successfully. MSICDSetup => Service deleted successfully. nvlddmkm => Service deleted successfully. qsscomnl => Service deleted successfully. vmci => Service deleted successfully. VMnetAdapter => Service deleted successfully. VMSMP => Service deleted successfully. "C:\Windows\system32\rejoice.exe" => File/Directory not found. C:\Windows\System32\Drivers\etc\hosts => Moved successfully. Hosts was reset successfully. ==== End of Fixlog ====
  14. I installed msse a couple hours before I did the scan. I wanted to see if it picked up anything the other 2 missed. Scan results to follow.
  15. Addition.txt: Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-08-2014 Ran by Administrator at 2014-08-03 17:17:42 Running from C:\Users\Administrator\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Helicon Ape (HKLM-x32\...\{2BBFCEFA-33AF-4A8B-8041-2216B87DEAE1}) (Version: 3.0.0062 - Helicon Tech) Helicon Zoo native module for IIS7 (HKLM\...\{77947360-D1ED-4AEB-B1FD-501205B4CE5F}) (Version: 2.0.77.328 - Helicon Tech) hMailServer 5.4.2-B1964 (HKLM-x32\...\hMailServer_is1) (Version: - ) IIS URL Rewrite Module 2 (HKLM\...\{EB675D0A-2C95-405B-BEE8-B42A65D23E11}) (Version: 7.2.2 - Microsoft Corporation) Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1912 - Intel Corporation) Java 7 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417045FF}) (Version: 7.0.450 - Oracle) Java SE Development Kit 7 Update 45 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170450}) (Version: 1.7.0.450 - Oracle) Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation) Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation) Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation) Microsoft SQL Server Compact 3.5 ENU (HKLM-x32\...\{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}) (Version: 3.5.5386.0 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation) Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden Microsoft Web Deploy 2.0 (HKLM\...\{5134B35A-B559-4762-94A4-FD4918977953}) (Version: 2.0.1070 - Microsoft Corporation) Microsoft Web Deploy 3.0 (HKLM\...\{AA72C306-30BE-4BB1-9E42-59552BAD2CDF}) (Version: 3.1236.1631 - Microsoft Corporation) Microsoft Web Platform Installer 4.5 (HKLM\...\{458707CD-9D7A-477F-B925-02242A29673B}) (Version: 4.0.1863 - Microsoft Corporation) MySQL Connector Net 6.3.7 (HKLM-x32\...\{5FD88490-011C-4DF1-B886-F298D955171B}) (Version: 6.3.7 - Oracle) PHP Manager 1.2 for IIS 7 (HKLM\...\{E851486F-1FE2-44F0-85ED-F969088A68EE}) (Version: 1.2.0 - ) Python 2.7.3 (HKLM-x32\...\{C0C31BCC-56FB-42a7-8766-D29E1BD74C7C}) (Version: 2.7.3150 - Python Software Foundation) Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.23.623.2010 - Realtek) Realtek Ethernet Diagnostic Utility (HKLM-x32\...\{DADC7AB0-E554-4705-9F6A-83EA82ED708E}) (Version: 2.0.2.3 - Realtek) System Requirements Lab (HKLM-x32\...\SystemRequirementsLab) (Version: - ) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) ==================== Restore Points ========================= Could not list Restore Points. Check "winmgmt" service or repair WMI. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation) Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation) Task: {A22EF847-A656-4D36-AE6E-CC92341CF5A8} - System32\Tasks\MySQL Backup => D:\MySQLBackups\mysqlbackup.bat [2013-01-16] () Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation) Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation) ==================== Loaded Modules (whitelisted) ============= 2011-03-13 10:37 - 2011-03-13 10:34 - 09631232 _____ () D:\mysql-5.5.9\bin\mysqld.exe 2011-03-12 17:24 - 2009-02-10 17:09 - 00296960 _____ () C:\Users\Administrator\Downloads\NetMeter.exe 2013-11-23 19:53 - 2012-06-26 16:17 - 00626176 _____ () C:\inetpub\php-5.4.22-nts\ext\ioncube_loader_win_5.4.dll 2013-11-23 19:50 - 2013-11-23 19:50 - 00097792 _____ () C:\inetpub\php-5.4.22-nts\LIBPQ.dll 2014-02-13 17:21 - 2014-02-08 14:16 - 01304576 _____ () C:\ImageMagick\CORE_RL_magick_.dll 2014-02-13 17:21 - 2014-02-08 14:16 - 00224256 _____ () C:\ImageMagick\CORE_RL_lcms_.dll ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (08/03/2014 01:36:51 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (08/02/2014 06:00:30 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/02/2014 05:59:47 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: WinQvodPlayer.exe, version: 0.0.0.0, time stamp: 0x2a425e19 Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x53159a86 Exception code: 0x0eedfade Fault offset: 0x0000c42d Faulting process id: 0x3b8 Faulting application start time: 0xWinQvodPlayer.exe0 Faulting application path: WinQvodPlayer.exe1 Faulting module path: WinQvodPlayer.exe2 Report Id: WinQvodPlayer.exe3 Error: (08/02/2014 05:59:02 AM) (Source: VSS) (EventID: 8193) (User: ) Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied. . Operation: Initializing Writer Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {b4075191-6a22-44e2-9802-8eefe0ea871d} Error: (08/02/2014 05:58:03 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: elasticsearch-service-x64.exe, version: 1.0.15.0, time stamp: 0x51543b9d Faulting module name: jvm.dll, version: 24.45.0.8, time stamp: 0x5254099f Exception code: 0xc0000005 Fault offset: 0x00000000001ccf58 Faulting process id: 0x580 Faulting application start time: 0xelasticsearch-service-x64.exe0 Faulting application path: elasticsearch-service-x64.exe1 Faulting module path: elasticsearch-service-x64.exe2 Report Id: elasticsearch-service-x64.exe3 Error: (08/01/2014 09:47:31 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/01/2014 09:46:49 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: WinQvodPlayer.exe, version: 0.0.0.0, time stamp: 0x2a425e19 Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x53159a86 Exception code: 0x0eedfade Fault offset: 0x0000c42d Faulting process id: 0x488 Faulting application start time: 0xWinQvodPlayer.exe0 Faulting application path: WinQvodPlayer.exe1 Faulting module path: WinQvodPlayer.exe2 Report Id: WinQvodPlayer.exe3 Error: (08/01/2014 09:46:06 PM) (Source: VSS) (EventID: 8193) (User: ) Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied. . Operation: Initializing Writer Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {36a85e37-144b-463c-ac23-261c5c15af42} Error: (08/01/2014 09:45:08 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: elasticsearch-service-x64.exe, version: 1.0.15.0, time stamp: 0x51543b9d Faulting module name: jvm.dll, version: 24.45.0.8, time stamp: 0x5254099f Exception code: 0xc0000005 Fault offset: 0x00000000001ccf58 Faulting process id: 0x574 Faulting application start time: 0xelasticsearch-service-x64.exe0 Faulting application path: elasticsearch-service-x64.exe1 Faulting module path: elasticsearch-service-x64.exe2 Report Id: elasticsearch-service-x64.exe3 System errors: ============= Error: (08/03/2014 05:17:05 PM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 03:47:41 PM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 02:27:18 PM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 01:09:17 PM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 11:38:24 AM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 09:48:30 AM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 08:37:13 AM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 07:22:42 AM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 06:22:26 AM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Error: (08/03/2014 05:21:24 AM) (Source: TermDD) (EventID: 50) (User: ) Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Microsoft Office Sessions: ========================= Error: (08/03/2014 01:36:51 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestc:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe Error: (08/02/2014 06:00:30 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/02/2014 05:59:47 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: WinQvodPlayer.exe0.0.0.02a425e19KERNELBASE.dll6.1.7601.1840953159a860eedfade0000c42d3b801cfae40d382801eC:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exeC:\Windows\syswow64\KERNELBASE.dll1d4a7d00-1a34-11e4-8bcd-6c626d8a1b2a Error: (08/02/2014 05:59:02 AM) (Source: VSS) (EventID: 8193) (User: ) Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied. Operation: Initializing Writer Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {b4075191-6a22-44e2-9802-8eefe0ea871d} Error: (08/02/2014 05:58:03 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: elasticsearch-service-x64.exe1.0.15.051543b9djvm.dll24.45.0.85254099fc000000500000000001ccf5858001cfadfbe8a58c56C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exeC:\Program Files\Java\jdk1.7.0_45\jre\bin\server\jvm.dlldf9741e6-1a33-11e4-9ec3-6c626d8a1b2a Error: (08/01/2014 09:47:31 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/01/2014 09:46:49 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: WinQvodPlayer.exe0.0.0.02a425e19KERNELBASE.dll6.1.7601.1840953159a860eedfade0000c42d48801cfadfbf5631d46C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exeC:\Windows\syswow64\KERNELBASE.dll3fa976ca-19ef-11e4-9ec3-6c626d8a1b2a Error: (08/01/2014 09:46:06 PM) (Source: VSS) (EventID: 8193) (User: ) Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied. Operation: Initializing Writer Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {36a85e37-144b-463c-ac23-261c5c15af42} Error: (08/01/2014 09:45:08 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: elasticsearch-service-x64.exe1.0.15.051543b9djvm.dll24.45.0.85254099fc000000500000000001ccf5857401cfaddc9b6f7bbeC:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exeC:\Program Files\Java\jdk1.7.0_45\jre\bin\server\jvm.dll03875f56-19ef-11e4-b2f7-6c626d8a1b2a ==================== Memory info =========================== Percentage of memory in use: 54% Total physical RAM: 8182.24 MB Available physical RAM: 3707.11 MB Total Pagefile: 16362.66 MB Available Pagefile: 11764.45 MB Total Virtual: 8192 MB Available Virtual: 8191.84 MB ==================== Drives ================================ Drive c: (Windows) (Fixed) (Total:472.43 GB) (Free:411.6 GB) NTFS Drive d: (Programs) (Fixed) (Total:458.98 GB) (Free:350.23 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 78C6DD2D) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=472 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=459 GB) - (Type=07 NTFS) ==================== End Of Log ============================
  16. FRST.txt: Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-08-2014 Ran by Administrator (administrator) on FORUMADMINS on 03-08-2014 17:16:55 Running from C:\Users\Administrator\Desktop Platform: Windows Server 2008 R2 Enterprise Service Pack 1 (X64) OS Language: English (United States) Internet Explorer Version 11 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation) C:\Windows\System32\dns.exe (Apache Software Foundation) C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exe (hMailServer) C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe (Microsoft Corporation) C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe () D:\mysql-5.5.9\bin\mysqld.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe () C:\Users\Administrator\Downloads\NetMeter.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\InetMgr.exe (Microsoft Corporation) C:\Windows\System32\LogonUI.exe (Microsoft Corporation) C:\Windows\System32\rdpclip.exe (Halvar Information) C:\Program Files (x86)\hMailServer\Bin\hMailAdmin.exe (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Microsoft Corporation) C:\Windows\System32\vds.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (The PHP Group) C:\inetpub\php-5.5.0-nts\php-cgi.exe (The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe (The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe (Intel Corporation) C:\Windows\System32\igfxsrvc.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation) HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [532040 2013-04-04] (Malwarebytes Corporation) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM\...\Policies\Explorer: [showSuperHidden] 1 HKU\S-1-5-21-3518012042-1827334665-130950791-500\...\Run: [NetMeter] => C:\Users\Administrator\Downloads\NetMeter.exe [296960 2009-02-10] () Lsa: [Notification Packages] scecli rassfm ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) DPF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab Tcpip\..\Interfaces\{1C892D5B-3031-404C-99FD-33D96921F52B}: [NameServer]4.2.2.2,4.2.2.1,8.8.8.8 FireFox: ======== FF Plugin: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S2 DeltaCopyService; C:\DeltaCopy\DCServce.exe [683008 2011-01-07] (Synametrics Technologies) [File not signed] R2 DNS; C:\Windows\system32\dns.exe [696832 2011-12-26] (Microsoft Corporation) R2 elasticsearch-service-x64; C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exe [103936 2013-12-22] (Apache Software Foundation) [File not signed] S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation) R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-06-01] (Microsoft Corporation) R2 hMailServer; C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe [6067712 2014-06-07] (hMailServer) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [80472 2012-09-06] (Microsoft Corporation) R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation) R2 MySQL; D:\mysql-5.5.9\bin\mysqld.exe [9631232 2011-03-13] () [File not signed] S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation) S3 rqs; C:\Windows\system32\rqs.exe [41472 2010-11-20] (Microsoft Corporation) S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation) S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation) R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation) S2 WLMS; C:\Windows\system32\wlms\wlms.exe [19456 2010-11-21] (Microsoft Corporation) S2 WinQvods; C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exe -k [X] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation) R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation) S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation) S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam620.sys [58512 2012-07-03] (Realtek Corporation) S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation) S3 VLAN; C:\Windows\System32\DRIVERS\RtVLAN620.sys [32400 2012-09-01] (Realtek Corporation) S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X] S3 MSICDSetup; \??\E:\CDriver64.sys [X] S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X] S1 qsscomnl; \??\C:\Windows\system32\drivers\qsscomnl.sys [X] S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X] S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X] S3 VMSMP; system32\DRIVERS\vmswitch.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-03 17:16 - 2014-08-03 17:17 - 00008573 _____ () C:\Users\Administrator\Desktop\FRST.txt 2014-08-03 17:16 - 2014-08-03 17:17 - 00000000 ____D () C:\FRST 2014-08-03 17:16 - 2014-08-03 17:16 - 02094080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe 2014-08-03 17:13 - 2014-08-03 17:13 - 00000000 ____D () C:\Users\Administrator\Documents\Stuff 2014-08-02 23:55 - 2014-08-02 23:55 - 00000000 ____D () C:\Program Files (x86)\ESET 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware 2014-08-02 18:03 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-08-02 18:00 - 2014-08-02 18:00 - 00000000 ____D () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business 2014-08-02 18:00 - 2014-08-02 17:59 - 67187077 _____ () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business.zip 2014-08-02 17:43 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll 2014-08-02 17:43 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll 2014-08-02 17:43 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll 2014-08-02 17:43 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe 2014-08-02 17:43 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll 2014-08-02 17:43 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll 2014-08-02 17:43 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll 2014-08-02 17:43 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll 2014-08-02 17:43 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll 2014-08-02 17:43 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll 2014-08-02 17:43 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll 2014-08-02 17:43 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll 2014-08-02 17:43 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe 2014-08-02 17:43 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe 2014-08-02 06:19 - 2014-08-02 06:23 - 00004918 __RSH () C:\ProgramData\ntuser.pol 2014-08-02 06:00 - 2014-08-03 17:17 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\2 2014-08-01 21:43 - 2014-01-08 21:22 - 05694464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll 2014-08-01 21:43 - 2014-01-03 17:44 - 06574592 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll 2014-08-01 17:58 - 2013-10-01 21:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys 2014-08-01 17:58 - 2013-10-01 21:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe 2014-08-01 17:58 - 2013-10-01 21:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll 2014-08-01 17:58 - 2013-10-01 20:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll 2014-08-01 17:58 - 2013-10-01 20:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll 2014-08-01 17:58 - 2013-10-01 20:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll 2014-08-01 17:58 - 2013-10-01 20:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll 2014-08-01 17:58 - 2013-10-01 19:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll 2014-08-01 17:58 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll 2014-08-01 17:58 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll 2014-08-01 17:58 - 2013-10-01 19:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe 2014-08-01 17:58 - 2013-10-01 19:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe 2014-08-01 17:58 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll 2014-08-01 17:58 - 2013-10-01 18:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe 2014-08-01 17:58 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll 2014-08-01 17:58 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe 2014-08-01 17:58 - 2013-09-24 21:23 - 01030144 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll 2014-08-01 17:58 - 2013-09-24 20:57 - 00792576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll 2014-07-27 02:04 - 2014-07-27 02:04 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Apps\2.0 2014-07-26 10:19 - 2014-07-26 10:19 - 00000019 _____ () C:\Users\Administrator\Documents\dns2.txt 2014-07-26 10:18 - 2014-07-26 10:18 - 00001255 _____ () C:\Users\Administrator\Documents\dns.txt 2014-07-13 13:22 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Umar_Temp.bmp 2014-07-13 13:21 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PhotoFoxRZ.bmp 2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BobS.bmp 2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BeeCeeBee10112011.bmp 2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\admini.bmp 2014-07-08 22:28 - 2014-06-17 21:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe 2014-07-08 22:28 - 2014-06-17 20:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe 2014-07-08 22:28 - 2014-06-17 20:10 - 03157504 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2014-07-08 22:28 - 2014-06-05 09:45 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll 2014-07-08 22:28 - 2014-06-05 09:26 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2014-07-08 22:28 - 2014-06-05 09:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2014-07-08 22:28 - 2014-05-30 03:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll 2014-07-08 22:28 - 2014-05-30 03:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll 2014-07-08 22:28 - 2014-05-30 03:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll 2014-07-08 22:28 - 2014-05-30 03:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll 2014-07-08 22:28 - 2014-05-30 03:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll 2014-07-08 22:28 - 2014-05-30 03:08 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll 2014-07-08 22:28 - 2014-05-30 03:08 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll 2014-07-08 22:28 - 2014-05-30 02:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll 2014-07-08 22:28 - 2014-05-30 02:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll 2014-07-08 22:28 - 2014-05-30 02:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2014-07-08 22:28 - 2014-05-30 02:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2014-07-08 22:28 - 2014-05-30 02:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll 2014-07-08 22:28 - 2014-05-30 02:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll 2014-07-08 22:28 - 2014-05-30 02:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll 2014-07-08 22:28 - 2014-05-30 01:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys 2014-07-08 22:27 - 2014-06-20 15:14 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2014-07-08 22:27 - 2014-06-20 14:39 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll 2014-07-08 22:27 - 2014-06-18 20:39 - 23464448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-07-08 22:27 - 2014-06-18 20:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-07-08 22:27 - 2014-06-18 20:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-07-08 22:27 - 2014-06-18 19:48 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-07-08 22:27 - 2014-06-18 19:42 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-07-08 22:27 - 2014-06-18 19:42 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-07-08 22:27 - 2014-06-18 19:41 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll 2014-07-08 22:27 - 2014-06-18 19:41 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-07-08 22:27 - 2014-06-18 19:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-07-08 22:27 - 2014-06-18 19:31 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-07-08 22:27 - 2014-06-18 19:26 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-07-08 22:27 - 2014-06-18 19:24 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-07-08 22:27 - 2014-06-18 19:24 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-07-08 22:27 - 2014-06-18 19:23 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-07-08 22:27 - 2014-06-18 19:16 - 17276416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-07-08 22:27 - 2014-06-18 19:14 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2014-07-08 22:27 - 2014-06-18 19:09 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2014-07-08 22:27 - 2014-06-18 18:59 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2014-07-08 22:27 - 2014-06-18 18:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-07-08 22:27 - 2014-06-18 18:53 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-07-08 22:27 - 2014-06-18 18:51 - 05721088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-07-08 22:27 - 2014-06-18 18:50 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-07-08 22:27 - 2014-06-18 18:48 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2014-07-08 22:27 - 2014-06-18 18:39 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-07-08 22:27 - 2014-06-18 18:38 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-07-08 22:27 - 2014-06-18 18:37 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-07-08 22:27 - 2014-06-18 18:36 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-07-08 22:27 - 2014-06-18 18:35 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll 2014-07-08 22:27 - 2014-06-18 18:33 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-07-08 22:27 - 2014-06-18 18:32 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-07-08 22:27 - 2014-06-18 18:28 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-07-08 22:27 - 2014-06-18 18:28 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-07-08 22:27 - 2014-06-18 18:27 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-07-08 22:27 - 2014-06-18 18:27 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2014-07-08 22:27 - 2014-06-18 18:25 - 00442368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-07-08 22:27 - 2014-06-18 18:23 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-07-08 22:27 - 2014-06-18 18:22 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-07-08 22:27 - 2014-06-18 18:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2014-07-08 22:27 - 2014-06-18 18:06 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2014-07-08 22:27 - 2014-06-18 18:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-07-08 22:27 - 2014-06-18 17:59 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2014-07-08 22:27 - 2014-06-18 17:58 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-07-08 22:27 - 2014-06-18 17:58 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2014-07-08 22:27 - 2014-06-18 17:52 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-07-08 22:27 - 2014-06-18 17:51 - 13527040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-07-08 22:27 - 2014-06-18 17:49 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-07-08 22:27 - 2014-06-18 17:46 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2014-07-08 22:27 - 2014-06-18 17:45 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-07-08 22:27 - 2014-06-18 17:35 - 11742208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-07-08 22:27 - 2014-06-18 17:34 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-07-08 22:27 - 2014-06-18 17:15 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-07-08 22:27 - 2014-06-18 17:13 - 01791488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-07-08 22:27 - 2014-06-18 17:09 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-07-08 22:27 - 2014-06-18 17:07 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-03 17:17 - 2014-08-03 17:16 - 00008573 _____ () C:\Users\Administrator\Desktop\FRST.txt 2014-08-03 17:17 - 2014-08-03 17:16 - 00000000 ____D () C:\FRST 2014-08-03 17:17 - 2014-08-02 06:00 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\2 2014-08-03 17:16 - 2014-08-03 17:16 - 02094080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe 2014-08-03 17:13 - 2014-08-03 17:13 - 00000000 ____D () C:\Users\Administrator\Documents\Stuff 2014-08-03 17:12 - 2011-03-12 17:11 - 00000000 ____D () C:\Windows\system32\dns 2014-08-03 17:10 - 2011-03-12 18:29 - 01194560 _____ () C:\Windows\WindowsUpdate.log 2014-08-03 16:35 - 2009-07-13 23:49 - 00024176 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-08-03 16:35 - 2009-07-13 23:49 - 00024176 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-08-02 23:55 - 2014-08-02 23:55 - 00000000 ____D () C:\Program Files (x86)\ESET 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware 2014-08-02 18:00 - 2014-08-02 18:00 - 00000000 ____D () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business 2014-08-02 17:59 - 2014-08-02 18:00 - 67187077 _____ () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business.zip 2014-08-02 17:32 - 2011-06-11 06:19 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PHP_User.bmp 2014-08-02 17:32 - 2011-06-11 06:19 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp 2014-08-02 14:32 - 2011-03-12 17:11 - 00000000 ____D () C:\inetpub 2014-08-02 06:23 - 2014-08-02 06:19 - 00004918 __RSH () C:\ProgramData\ntuser.pol 2014-08-02 05:58 - 2009-07-14 00:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-08-02 05:58 - 2009-07-13 23:56 - 00032453 _____ () C:\Windows\setupact.log 2014-08-01 22:22 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache 2014-08-01 21:45 - 2010-11-20 22:47 - 00196556 _____ () C:\Windows\PFRO.log 2014-07-27 02:04 - 2014-07-27 02:04 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Apps\2.0 2014-07-26 16:45 - 2011-10-23 10:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hMailServer 2014-07-26 16:45 - 2011-10-23 10:09 - 00000000 ____D () C:\Program Files (x86)\hMailServer 2014-07-26 10:19 - 2014-07-26 10:19 - 00000019 _____ () C:\Users\Administrator\Documents\dns2.txt 2014-07-26 10:18 - 2014-07-26 10:18 - 00001255 _____ () C:\Users\Administrator\Documents\dns.txt 2014-07-26 10:14 - 2011-03-12 21:52 - 00000000 ____D () C:\Users\Administrator\Documents\Tools 2014-07-26 00:12 - 2013-04-14 12:41 - 00016585 _____ () C:\Users\Administrator\AppData\Local\Temp\chrome_installer.log 2014-07-26 00:12 - 2013-04-14 12:41 - 00000000 ____D () C:\Program Files (x86)\Google 2014-07-25 23:43 - 2009-07-14 00:10 - 00810646 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-07-25 23:35 - 2012-07-04 12:30 - 00000000 ____D () C:\Program Files\Microsoft Silverlight 2014-07-25 23:35 - 2012-07-04 12:30 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight 2014-07-24 03:01 - 2012-07-04 12:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight 2014-07-13 13:22 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Umar_Temp.bmp 2014-07-13 13:22 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PhotoFoxRZ.bmp 2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BobS.bmp 2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BeeCeeBee10112011.bmp 2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\admini.bmp 2014-07-12 23:00 - 2011-03-12 18:33 - 00000000 ____D () C:\Users\Administrator 2014-07-09 03:20 - 2009-07-13 23:49 - 00267240 _____ () C:\Windows\system32\FNTCACHE.DAT 2014-07-09 03:19 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism 2014-07-09 03:19 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\Dism 2014-07-09 03:03 - 2013-08-13 20:52 - 00000000 ____D () C:\Windows\system32\MRT 2014-07-09 03:02 - 2011-07-13 16:53 - 96441528 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-07-28 00:35 ==================== End Of Log ============================
  17. I'm actually retiring this server. I would really like to investigate further before I tear it down. I don't know how the attack happened and this is troubling. If it happened to a computer that is rarely used then it can happen to any PC. I don't ever log in to the actual server. I always log in via RDP. As far as stealing any info I don't have any personal info on it nor do I use it as a PC.
  18. Yes. They were both built on same kernel.
  19. I ran ESET online scanner while in safe mode and it found the server was infected by Win32:Hupigon. It said it cleaned it and to reboot. I then rebooted in safe mode again and ran the online scanner. All was clean. I then ran malwarebytes in safe mode and ESET again. All clean. I am still seeing a lot of incoming requests to port 80 being blocked by malwarebytes. This is understandable as I see this on my other servers as well although not on the scale this was happening. The IPs being blocked on the other servers are from spambots and xrumer a forum posting bot. Looking through the old mbam logs it looks like the initial infection happened on July 29TH. There were incoming requests to rejoice.exe and successful log ins to the server when I looked at the security events. Looking at install logs it looks like winrar was installed to compress all the files on the server. There was also a spike in download bandwidth used on that day so it looks like all the data was stolen. Lucky for me I just rotated the backups the day before. I am unsure why this wasn't caught by eset or mbam. I also don't how they got in. In any case I still have my reservations as to whether this server is clean. Before I format to install Windows 2012 I want to know for sure it's clean and even though I doubt I'll ever know I'd like to know how they got in. Pete any help you can give me would be appreciated.
  20. I'm anal about the way I secure my servers. I have specific secpool rules which locks down access. I am the only one that can access any of my servers remotely and only when I'm on the network. I also run Malwarebytes Pro for business and NOD32 for enterprise. This is what's baffling me. The 2 live servers are fine. After this happened I did a full audit on the 2 main servers. All clean. The only difference is the one that evidently was hacked is running Windows 2008R2 and the others are running Windows 2012R2. I wonder if there is some zero day exploit in the wild.
  21. I have a dev server with Windows 2008R2 as OS. I keep it updated with latest patches and fixes Microsoft releases. It's only use is for data backup, testing web apps and software updates before I update live sites. The other day I logged into the server to rotate the backups to the NAS as I always do. When I was at the log in screen I noticed a new user called admin which I didn't create. After I logged in I noticed Winrar was installed. I never install any software on any server that other than what is needed to run websites and on this server I also have Visual Studio installed for development. Red flags went up. I uninstalled Winrar, removed the admin user and isolated the server from the rest of the network. I have been monitoring the server since Friday and noticed a lot of inbound activity on various ports. I also noticed that another user was created with admin rights. The user was ASPNET. This user was also able to log in with RDP. As with all my servers the security policy for remote remote access is set up for only secure access and only to my workstation IP which is an internal 172.16.x.x IP. Access from WAN is prohibited. After investigating I found that that somehow this new admin user had accessed secpol and turned off the firewall and set all access policies to default. At this point I took the server off the network completely. I would say the server is infected with something and while I was planning an OS upgrade to Windows 20012R2 I would like to know what it is infected with and what the attack vector was. This server is not used for anything except what I stated. I am the only one to access it. How this could have happened is beyond me. In any I'd like to know what's going on.
  22. Legal, but the big question is whether Sprint will abide by the rules.
  23. Kind of reminds of the way floppies used to be infected.
×
×
  • Create New...