Windows 2008r2 Infected

[starbuck]

Hi Bob,

Have spoken to Farbar and he says that FRST is meant to run on all Windows platforms, but he doesn't have any server OS to try it out on.
But he did point me to another helper that has successfully run some of our tools on server 2008.
So i now know a few tools that should run on the server.
It was the 32bit version that worked for him, so if you want to try that you're welcome.
I'll give you both versions, so if the 32bit won't run.... then try the 64bit version.

For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.

• Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  
  
  
  
  
• When the tool opens click Yes to disclaimer.
  
  
  
  
  
• Make sure that Addition.txt is selected at the bottom
• Press Scan button.
  
  
  
  
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.

Let me have both reports from FRST and we'll see if we can find out any information from them.

 

[starbuck]

Will have to pick up any reports tomorrow as it's now late here in England and i need my beauty sleep

 

[AWS]

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-08-2014
Ran by Administrator (administrator) on FORUMADMINS on 03-08-2014 17:16:55
Running from C:\Users\Administrator\Desktop
Platform: Windows Server 2008 R2 Enterprise Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Apache Software Foundation) C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exe
(hMailServer) C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe
(Microsoft Corporation) C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
() D:\mysql-5.5.9\bin\mysqld.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Users\Administrator\Downloads\NetMeter.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\InetMgr.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Halvar Information) C:\Program Files (x86)\hMailServer\Bin\hMailAdmin.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(The PHP Group) C:\inetpub\php-5.5.0-nts\php-cgi.exe
(The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe
(The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [532040 2013-04-04] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-3518012042-1827334665-130950791-500\...\Run: [NetMeter] => C:\Users\Administrator\Downloads\NetMeter.exe [296960 2009-02-10] ()
Lsa: [Notification Packages] scecli rassfm

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Tcpip\..\Interfaces\{1C892D5B-3031-404C-99FD-33D96921F52B}: [NameServer]4.2.2.2,4.2.2.1,8.8.8.8

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 DeltaCopyService; C:\DeltaCopy\DCServce.exe [683008 2011-01-07] (Synametrics Technologies) [File not signed]
R2 DNS; C:\Windows\system32\dns.exe [696832 2011-12-26] (Microsoft Corporation)
R2 elasticsearch-service-x64; C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exe [103936 2013-12-22] (Apache Software Foundation) [File not signed]
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-06-01] (Microsoft Corporation)
R2 hMailServer; C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe [6067712 2014-06-07] (hMailServer) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [80472 2012-09-06] (Microsoft Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
R2 MySQL; D:\mysql-5.5.9\bin\mysqld.exe [9631232 2011-03-13] () [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S3 rqs; C:\Windows\system32\rqs.exe [41472 2010-11-20] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S2 WLMS; C:\Windows\system32\wlms\wlms.exe [19456 2010-11-21] (Microsoft Corporation)
S2 WinQvods; C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exe -k [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam620.sys [58512 2012-07-03] (Realtek Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
S3 VLAN; C:\Windows\System32\DRIVERS\RtVLAN620.sys [32400 2012-09-01] (Realtek Corporation)
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]
S1 qsscomnl; \??\C:\Windows\system32\drivers\qsscomnl.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S3 VMSMP; system32\DRIVERS\vmswitch.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-03 17:16 - 2014-08-03 17:17 - 00008573 _____ () C:\Users\Administrator\Desktop\FRST.txt
2014-08-03 17:16 - 2014-08-03 17:17 - 00000000 ____D () C:\FRST
2014-08-03 17:16 - 2014-08-03 17:16 - 02094080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2014-08-03 17:13 - 2014-08-03 17:13 - 00000000 ____D () C:\Users\Administrator\Documents\Stuff
2014-08-02 23:55 - 2014-08-02 23:55 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-08-02 18:03 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-08-02 18:00 - 2014-08-02 18:00 - 00000000 ____D () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business
2014-08-02 18:00 - 2014-08-02 17:59 - 67187077 _____ () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business.zip
2014-08-02 17:43 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-08-02 17:43 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-08-02 17:43 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2014-08-02 17:43 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-08-02 17:43 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-08-02 17:43 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-08-02 17:43 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2014-08-02 17:43 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-08-02 17:43 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-08-02 17:43 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2014-08-02 17:43 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-08-02 17:43 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2014-08-02 17:43 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-08-02 17:43 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2014-08-02 06:19 - 2014-08-02 06:23 - 00004918 __RSH () C:\ProgramData\ntuser.pol
2014-08-02 06:00 - 2014-08-03 17:17 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\2
2014-08-01 21:43 - 2014-01-08 21:22 - 05694464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-08-01 21:43 - 2014-01-03 17:44 - 06574592 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-08-01 17:58 - 2013-10-01 21:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2014-08-01 17:58 - 2013-10-01 21:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-08-01 17:58 - 2013-10-01 21:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-08-01 17:58 - 2013-10-01 20:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2014-08-01 17:58 - 2013-10-01 20:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2014-08-01 17:58 - 2013-10-01 20:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-08-01 17:58 - 2013-10-01 20:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2014-08-01 17:58 - 2013-10-01 19:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2014-08-01 17:58 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll
2014-08-01 17:58 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll
2014-08-01 17:58 - 2013-10-01 19:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2014-08-01 17:58 - 2013-10-01 19:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2014-08-01 17:58 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2014-08-01 17:58 - 2013-10-01 18:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-08-01 17:58 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll
2014-08-01 17:58 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2014-08-01 17:58 - 2013-09-24 21:23 - 01030144 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-08-01 17:58 - 2013-09-24 20:57 - 00792576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2014-07-27 02:04 - 2014-07-27 02:04 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Apps\2.0
2014-07-26 10:19 - 2014-07-26 10:19 - 00000019 _____ () C:\Users\Administrator\Documents\dns2.txt
2014-07-26 10:18 - 2014-07-26 10:18 - 00001255 _____ () C:\Users\Administrator\Documents\dns.txt
2014-07-13 13:22 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Umar_Temp.bmp
2014-07-13 13:21 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PhotoFoxRZ.bmp
2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BobS.bmp
2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BeeCeeBee10112011.bmp
2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\admini.bmp
2014-07-08 22:28 - 2014-06-17 21:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-07-08 22:28 - 2014-06-17 20:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2014-07-08 22:28 - 2014-06-17 20:10 - 03157504 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-07-08 22:28 - 2014-06-05 09:45 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-07-08 22:28 - 2014-06-05 09:26 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-07-08 22:28 - 2014-06-05 09:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-07-08 22:28 - 2014-05-30 03:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-07-08 22:28 - 2014-05-30 03:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-07-08 22:28 - 2014-05-30 03:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-07-08 22:28 - 2014-05-30 03:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-07-08 22:28 - 2014-05-30 03:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-07-08 22:28 - 2014-05-30 03:08 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-07-08 22:28 - 2014-05-30 03:08 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-07-08 22:28 - 2014-05-30 02:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-07-08 22:28 - 2014-05-30 02:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-07-08 22:28 - 2014-05-30 02:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-07-08 22:28 - 2014-05-30 02:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-07-08 22:28 - 2014-05-30 02:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-07-08 22:28 - 2014-05-30 02:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-07-08 22:28 - 2014-05-30 02:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-07-08 22:28 - 2014-05-30 01:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-07-08 22:27 - 2014-06-20 15:14 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-07-08 22:27 - 2014-06-20 14:39 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-07-08 22:27 - 2014-06-18 20:39 - 23464448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-07-08 22:27 - 2014-06-18 20:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-07-08 22:27 - 2014-06-18 20:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-07-08 22:27 - 2014-06-18 19:48 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-07-08 22:27 - 2014-06-18 19:42 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-07-08 22:27 - 2014-06-18 19:42 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-07-08 22:27 - 2014-06-18 19:41 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-07-08 22:27 - 2014-06-18 19:41 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-07-08 22:27 - 2014-06-18 19:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-07-08 22:27 - 2014-06-18 19:31 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-07-08 22:27 - 2014-06-18 19:26 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-07-08 22:27 - 2014-06-18 19:24 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-07-08 22:27 - 2014-06-18 19:24 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-07-08 22:27 - 2014-06-18 19:23 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-07-08 22:27 - 2014-06-18 19:16 - 17276416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-07-08 22:27 - 2014-06-18 19:14 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-07-08 22:27 - 2014-06-18 19:09 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-07-08 22:27 - 2014-06-18 18:59 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-07-08 22:27 - 2014-06-18 18:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-07-08 22:27 - 2014-06-18 18:53 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-07-08 22:27 - 2014-06-18 18:51 - 05721088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-07-08 22:27 - 2014-06-18 18:50 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-07-08 22:27 - 2014-06-18 18:48 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-07-08 22:27 - 2014-06-18 18:39 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-07-08 22:27 - 2014-06-18 18:38 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-07-08 22:27 - 2014-06-18 18:37 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-07-08 22:27 - 2014-06-18 18:36 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-07-08 22:27 - 2014-06-18 18:35 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-07-08 22:27 - 2014-06-18 18:33 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-07-08 22:27 - 2014-06-18 18:32 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-07-08 22:27 - 2014-06-18 18:28 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-07-08 22:27 - 2014-06-18 18:28 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-07-08 22:27 - 2014-06-18 18:27 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-07-08 22:27 - 2014-06-18 18:27 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-07-08 22:27 - 2014-06-18 18:25 - 00442368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-07-08 22:27 - 2014-06-18 18:23 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-07-08 22:27 - 2014-06-18 18:22 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-07-08 22:27 - 2014-06-18 18:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-07-08 22:27 - 2014-06-18 18:06 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-07-08 22:27 - 2014-06-18 18:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-07-08 22:27 - 2014-06-18 17:59 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-07-08 22:27 - 2014-06-18 17:58 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-07-08 22:27 - 2014-06-18 17:58 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-07-08 22:27 - 2014-06-18 17:52 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-07-08 22:27 - 2014-06-18 17:51 - 13527040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-07-08 22:27 - 2014-06-18 17:49 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-07-08 22:27 - 2014-06-18 17:46 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-07-08 22:27 - 2014-06-18 17:45 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-07-08 22:27 - 2014-06-18 17:35 - 11742208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-07-08 22:27 - 2014-06-18 17:34 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-07-08 22:27 - 2014-06-18 17:15 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-07-08 22:27 - 2014-06-18 17:13 - 01791488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-07-08 22:27 - 2014-06-18 17:09 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-07-08 22:27 - 2014-06-18 17:07 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-03 17:17 - 2014-08-03 17:16 - 00008573 _____ () C:\Users\Administrator\Desktop\FRST.txt
2014-08-03 17:17 - 2014-08-03 17:16 - 00000000 ____D () C:\FRST
2014-08-03 17:17 - 2014-08-02 06:00 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\2
2014-08-03 17:16 - 2014-08-03 17:16 - 02094080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2014-08-03 17:13 - 2014-08-03 17:13 - 00000000 ____D () C:\Users\Administrator\Documents\Stuff
2014-08-03 17:12 - 2011-03-12 17:11 - 00000000 ____D () C:\Windows\system32\dns
2014-08-03 17:10 - 2011-03-12 18:29 - 01194560 _____ () C:\Windows\WindowsUpdate.log
2014-08-03 16:35 - 2009-07-13 23:49 - 00024176 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-03 16:35 - 2009-07-13 23:49 - 00024176 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-02 23:55 - 2014-08-02 23:55 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-08-02 18:00 - 2014-08-02 18:00 - 00000000 ____D () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business
2014-08-02 17:59 - 2014-08-02 18:00 - 67187077 _____ () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business.zip
2014-08-02 17:32 - 2011-06-11 06:19 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PHP_User.bmp
2014-08-02 17:32 - 2011-06-11 06:19 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp
2014-08-02 14:32 - 2011-03-12 17:11 - 00000000 ____D () C:\inetpub
2014-08-02 06:23 - 2014-08-02 06:19 - 00004918 __RSH () C:\ProgramData\ntuser.pol
2014-08-02 05:58 - 2009-07-14 00:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-02 05:58 - 2009-07-13 23:56 - 00032453 _____ () C:\Windows\setupact.log
2014-08-01 22:22 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-08-01 21:45 - 2010-11-20 22:47 - 00196556 _____ () C:\Windows\PFRO.log
2014-07-27 02:04 - 2014-07-27 02:04 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Apps\2.0
2014-07-26 16:45 - 2011-10-23 10:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hMailServer
2014-07-26 16:45 - 2011-10-23 10:09 - 00000000 ____D () C:\Program Files (x86)\hMailServer
2014-07-26 10:19 - 2014-07-26 10:19 - 00000019 _____ () C:\Users\Administrator\Documents\dns2.txt
2014-07-26 10:18 - 2014-07-26 10:18 - 00001255 _____ () C:\Users\Administrator\Documents\dns.txt
2014-07-26 10:14 - 2011-03-12 21:52 - 00000000 ____D () C:\Users\Administrator\Documents\Tools
2014-07-26 00:12 - 2013-04-14 12:41 - 00016585 _____ () C:\Users\Administrator\AppData\Local\Temp\chrome_installer.log
2014-07-26 00:12 - 2013-04-14 12:41 - 00000000 ____D () C:\Program Files (x86)\Google
2014-07-25 23:43 - 2009-07-14 00:10 - 00810646 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-07-25 23:35 - 2012-07-04 12:30 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-07-25 23:35 - 2012-07-04 12:30 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-07-24 03:01 - 2012-07-04 12:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-07-13 13:22 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Umar_Temp.bmp
2014-07-13 13:22 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PhotoFoxRZ.bmp
2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BobS.bmp
2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BeeCeeBee10112011.bmp
2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\admini.bmp
2014-07-12 23:00 - 2011-03-12 18:33 - 00000000 ____D () C:\Users\Administrator
2014-07-09 03:20 - 2009-07-13 23:49 - 00267240 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-07-09 03:19 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2014-07-09 03:19 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\Dism
2014-07-09 03:03 - 2013-08-13 20:52 - 00000000 ____D () C:\Windows\system32\MRT
2014-07-09 03:02 - 2011-07-13 16:53 - 96441528 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-07-28 00:35

==================== End Of Log ============================

 

[AWS]

Addition.txt:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-08-2014
Ran by Administrator at 2014-08-03 17:17:42
Running from C:\Users\Administrator\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Helicon Ape (HKLM-x32\...\{2BBFCEFA-33AF-4A8B-8041-2216B87DEAE1}) (Version: 3.0.0062 - Helicon Tech)
Helicon Zoo native module for IIS7 (HKLM\...\{77947360-D1ED-4AEB-B1FD-501205B4CE5F}) (Version: 2.0.77.328 - Helicon Tech)
hMailServer 5.4.2-B1964 (HKLM-x32\...\hMailServer_is1) (Version: - )
IIS URL Rewrite Module 2 (HKLM\...\{EB675D0A-2C95-405B-BEE8-B42A65D23E11}) (Version: 7.2.2 - Microsoft Corporation)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1912 - Intel Corporation)
Java 7 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417045FF}) (Version: 7.0.450 - Oracle)
Java SE Development Kit 7 Update 45 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170450}) (Version: 1.7.0.450 - Oracle)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 ENU (HKLM-x32\...\{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}) (Version: 3.5.5386.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Web Deploy 2.0 (HKLM\...\{5134B35A-B559-4762-94A4-FD4918977953}) (Version: 2.0.1070 - Microsoft Corporation)
Microsoft Web Deploy 3.0 (HKLM\...\{AA72C306-30BE-4BB1-9E42-59552BAD2CDF}) (Version: 3.1236.1631 - Microsoft Corporation)
Microsoft Web Platform Installer 4.5 (HKLM\...\{458707CD-9D7A-477F-B925-02242A29673B}) (Version: 4.0.1863 - Microsoft Corporation)
MySQL Connector Net 6.3.7 (HKLM-x32\...\{5FD88490-011C-4DF1-B886-F298D955171B}) (Version: 6.3.7 - Oracle)
PHP Manager 1.2 for IIS 7 (HKLM\...\{E851486F-1FE2-44F0-85ED-F969088A68EE}) (Version: 1.2.0 - )
Python 2.7.3 (HKLM-x32\...\{C0C31BCC-56FB-42a7-8766-D29E1BD74C7C}) (Version: 2.7.3150 - Python Software Foundation)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.23.623.2010 - Realtek)
Realtek Ethernet Diagnostic Utility (HKLM-x32\...\{DADC7AB0-E554-4705-9F6A-83EA82ED708E}) (Version: 2.0.2.3 - Realtek)
System Requirements Lab (HKLM-x32\...\SystemRequirementsLab) (Version: - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {A22EF847-A656-4D36-AE6E-CC92341CF5A8} - System32\Tasks\MySQL Backup => D:\MySQLBackups\mysqlbackup.bat [2013-01-16] ()
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)

==================== Loaded Modules (whitelisted) =============

2011-03-13 10:37 - 2011-03-13 10:34 - 09631232 _____ () D:\mysql-5.5.9\bin\mysqld.exe
2011-03-12 17:24 - 2009-02-10 17:09 - 00296960 _____ () C:\Users\Administrator\Downloads\NetMeter.exe
2013-11-23 19:53 - 2012-06-26 16:17 - 00626176 _____ () C:\inetpub\php-5.4.22-nts\ext\ioncube_loader_win_5.4.dll
2013-11-23 19:50 - 2013-11-23 19:50 - 00097792 _____ () C:\inetpub\php-5.4.22-nts\LIBPQ.dll
2014-02-13 17:21 - 2014-02-08 14:16 - 01304576 _____ () C:\ImageMagick\CORE_RL_magick_.dll
2014-02-13 17:21 - 2014-02-08 14:16 - 00224256 _____ () C:\ImageMagick\CORE_RL_lcms_.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/03/2014 01:36:51 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (08/02/2014 06:00:30 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/02/2014 05:59:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WinQvodPlayer.exe, version: 0.0.0.0, time stamp: 0x2a425e19
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x53159a86
Exception code: 0x0eedfade
Fault offset: 0x0000c42d
Faulting process id: 0x3b8
Faulting application start time: 0xWinQvodPlayer.exe0
Faulting application path: WinQvodPlayer.exe1
Faulting module path: WinQvodPlayer.exe2
Report Id: WinQvodPlayer.exe3

Error: (08/02/2014 05:59:02 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.
.


Operation:
Initializing Writer

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {b4075191-6a22-44e2-9802-8eefe0ea871d}

Error: (08/02/2014 05:58:03 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: elasticsearch-service-x64.exe, version: 1.0.15.0, time stamp: 0x51543b9d
Faulting module name: jvm.dll, version: 24.45.0.8, time stamp: 0x5254099f
Exception code: 0xc0000005
Fault offset: 0x00000000001ccf58
Faulting process id: 0x580
Faulting application start time: 0xelasticsearch-service-x64.exe0
Faulting application path: elasticsearch-service-x64.exe1
Faulting module path: elasticsearch-service-x64.exe2
Report Id: elasticsearch-service-x64.exe3

Error: (08/01/2014 09:47:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/01/2014 09:46:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WinQvodPlayer.exe, version: 0.0.0.0, time stamp: 0x2a425e19
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x53159a86
Exception code: 0x0eedfade
Fault offset: 0x0000c42d
Faulting process id: 0x488
Faulting application start time: 0xWinQvodPlayer.exe0
Faulting application path: WinQvodPlayer.exe1
Faulting module path: WinQvodPlayer.exe2
Report Id: WinQvodPlayer.exe3

Error: (08/01/2014 09:46:06 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.
.


Operation:
Initializing Writer

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {36a85e37-144b-463c-ac23-261c5c15af42}

Error: (08/01/2014 09:45:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: elasticsearch-service-x64.exe, version: 1.0.15.0, time stamp: 0x51543b9d
Faulting module name: jvm.dll, version: 24.45.0.8, time stamp: 0x5254099f
Exception code: 0xc0000005
Fault offset: 0x00000000001ccf58
Faulting process id: 0x574
Faulting application start time: 0xelasticsearch-service-x64.exe0
Faulting application path: elasticsearch-service-x64.exe1
Faulting module path: elasticsearch-service-x64.exe2
Report Id: elasticsearch-service-x64.exe3


System errors:
=============
Error: (08/03/2014 05:17:05 PM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 03:47:41 PM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 02:27:18 PM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 01:09:17 PM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 11:38:24 AM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 09:48:30 AM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 08:37:13 AM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 07:22:42 AM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 06:22:26 AM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2014 05:21:24 AM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.


Microsoft Office Sessions:
=========================
Error: (08/03/2014 01:36:51 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestc:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe

Error: (08/02/2014 06:00:30 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/02/2014 05:59:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: WinQvodPlayer.exe0.0.0.02a425e19KERNELBASE.dll6.1.7601.1840953159a860eedfade0000c42d3b801cfae40d382801eC:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exeC:\Windows\syswow64\KERNELBASE.dll1d4a7d00-1a34-11e4-8bcd-6c626d8a1b2a

Error: (08/02/2014 05:59:02 AM) (Source: VSS) (EventID: 8193) (User: )
Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.


Operation:
Initializing Writer

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {b4075191-6a22-44e2-9802-8eefe0ea871d}

Error: (08/02/2014 05:58:03 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: elasticsearch-service-x64.exe1.0.15.051543b9djvm.dll24.45.0.85254099fc000000500000000001ccf5858001cfadfbe8a58c56C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exeC:\Program Files\Java\jdk1.7.0_45\jre\bin\server\jvm.dlldf9741e6-1a33-11e4-9ec3-6c626d8a1b2a

Error: (08/01/2014 09:47:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/01/2014 09:46:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: WinQvodPlayer.exe0.0.0.02a425e19KERNELBASE.dll6.1.7601.1840953159a860eedfade0000c42d48801cfadfbf5631d46C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exeC:\Windows\syswow64\KERNELBASE.dll3fa976ca-19ef-11e4-9ec3-6c626d8a1b2a

Error: (08/01/2014 09:46:06 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.


Operation:
Initializing Writer

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {36a85e37-144b-463c-ac23-261c5c15af42}

Error: (08/01/2014 09:45:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: elasticsearch-service-x64.exe1.0.15.051543b9djvm.dll24.45.0.85254099fc000000500000000001ccf5857401cfaddc9b6f7bbeC:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exeC:\Program Files\Java\jdk1.7.0_45\jre\bin\server\jvm.dll03875f56-19ef-11e4-b2f7-6c626d8a1b2a


==================== Memory info ===========================

Percentage of memory in use: 54%
Total physical RAM: 8182.24 MB
Available physical RAM: 3707.11 MB
Total Pagefile: 16362.66 MB
Available Pagefile: 11764.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:472.43 GB) (Free:411.6 GB) NTFS
Drive d: (Programs) (Fixed) (Total:458.98 GB) (Free:350.23 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 78C6DD2D)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=472 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=459 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

[starbuck]

Hi Bob,

There's really much to go on in the reports.

I also run Malwarebytes Pro for business and NOD32 for enterprise.

This server is showing that MSSE is installed?

There were incoming requests to rejoice.exe

This in itself isn't good:
http://www.bleepingcomputer.com/startups/rejoice.exe-13732.html

As you will see it's normally started via the Shell= line in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
But there's no sign of any abnormal shell entry in the reports..... by all means check the registry though. ( as i know you are capable)
although there's no sign of the file, i'll still add the file path to the fix (along with the file missing entries ).... just in case.
Then we'll get a report from RK which should hopefully give us an idea of any rootkit still residing.

Step 1
Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system

Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.


Step 2
Download RogueKiller and save it to your desktop.

• Close all running processes (security programs etc )
• Double click RogueKiller icon to run the program
  Vista/Win7/Win8 users should right click the icon and select Run as Administrator.
• Wait for the Prescan to finish.
• Now click the Scan button.
• Please copy and paste the report in your next reply.

A copy of the RKreport.txt can be found on your desktop.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon and try again.


In your next reply, please submit:
fixlog.txt
RKreport.txt


Thanks.

 

[AWS]

I installed msse a couple hours before I did the scan. I wanted to see if it picked up anything the other 2 missed.

Scan results to follow.

 

[AWS]

Fix results:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-08-2014
Ran by Administrator at 2014-08-04 16:56:18 Run:1
Running from C:\Users\Administrator\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
S2 WinQvods; C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exe -k [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]
S1 qsscomnl; \??\C:\Windows\system32\drivers\qsscomnl.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S3 VMSMP; system32\DRIVERS\vmswitch.sys [X]
C:\Windows\system32\rejoice.exe
Hosts:


*****************

WinQvods => Service deleted successfully.
IntcAzAudAddService => Service deleted successfully.
MSICDSetup => Service deleted successfully.
nvlddmkm => Service deleted successfully.
qsscomnl => Service deleted successfully.
vmci => Service deleted successfully.
VMnetAdapter => Service deleted successfully.
VMSMP => Service deleted successfully.
"C:\Windows\system32\rejoice.exe" => File/Directory not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.

==== End of Fixlog ====

 

[AWS]

Rogue Killer log:

RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 08/04/2014 17:08:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 14 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1001FALS-00J7B0 ATA Device +++++
--- User ---
[MBR] e36b29ed5deb4d86d6431d847a232055
[BSP] 6bf05f4762bd9870a00d4f8a448a77b7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 483768 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 990963712 | Size: 469999 MB
User = LL1 ... OK
User = LL2 ... OK

 

[starbuck]

Hi Bob,

I installed msse a couple hours before I did the scan.

Ok, that explains it then.

RK didn't find anything malicious.

What does surprise me is that you was running Eset Enterprise and it didn't detect anything.... but an Eset online scan did!
Did Eset save a copy of the scan report?
It would be interesting to see where it found the malware.
It normally saves a copy of the scan at: C:\Program Files\ESET\ESET Online Scanner\log.txt

 

[AWS]

What's more baffling is how the server was infected. I am the only with access to it. RDP is locked down to only allow access from local IPs and only my IPs from my main desktop and laptop. No external connections allowed.

I don't use it to surf the web or open email. The only time I log in to it is to rotate backups or test code. The only site running on it is a test site that is local only. It's the old server that we used for CHF.

I do know when the infection happened. It was on July 29TH at 4:56AM CST. The person who got in covered his tracks real good. The only clue was the date WinRar was installed. All event logs were cleared.

I looked at my router logs and I seen a syn flood on the border router, but the DDOS protection on the load balancer mitigated that.

The only thing I can think of is I might have opened up a hole with some of my code. I am working on some add ins to enhance remote management. It's either that or a zero day exploit in Windows 2008r2.

 

[AWS]

You're right about ESET not detecting it while online scan did.

Anyway thanks for the help. I'll let it run for a few more days before I retire it

 

[AWS]

I found the attack vector. On the server I had a site that I closed a couple years ago. It was a blog with articles and tips for Windows Server users. I used Wordpress as the software.The version of Wordpress was in the early 3.0 branch. Since that was a test server I only had port 8080 and 443 for https open, but, I had IIS shutoff so any attempts to access any site would have gone to a null route. When I took the server out of the rack when I turned on the new server for CHF I put it to the side to be used as a backup server. Once I transferred the files from the backup to it I put it back online only connected to the local network. Or so I thought. I had forgot to remove 1 of the static public IPs. Also when I rebooted it IIS turned back on and I didn't think to turn it off. Long story short a hacker tool was used that probes for vulnerable Wordpress sites, found mine and used the exploit to upload a shell. Once that happened it was a free for all.

I have now removed the public IP and uninstalled IIS. Lesson learned never leave old vulnerable software open to the public.

 

[starbuck]

Thanks for the update Bob.

It does make sense now.
That is why nothing showed on the FRST reports.

 

[Rich-M]

The only good thing about mistakes is that we can learn from them, nice comeback Bob!