Jump to content

Recommended Posts

Posted

Hi Bob,

 

Have spoken to Farbar and he says that FRST is meant to run on all Windows platforms, but he doesn't have any server OS to try it out on.

But he did point me to another helper that has successfully run some of our tools on server 2008.

So i now know a few tools that should run on the server.

It was the 32bit version that worked for him, so if you want to try that you're welcome.

I'll give you both versions, so if the 32bit won't run.... then try the 64bit version.

 

For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop.

 

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.

 

  • Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
     
    67b8a322b3fecbffae763351382a8dca.png
     
  • When the tool opens click Yes to disclaimer.
     
    cc2ccbb50981864d118e9de685cc046d.png
     
  • Make sure that Addition.txt is selected at the bottom
  • Press Scan button.
     
    ef325918e61521910a00fa9df49ce75a.png
     
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.

 

Let me have both reports from FRST and we'll see if we can find out any information from them.

76c90dd0e79a714317a8daeecc1584d2.png

  • FPCH Admin
Posted

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-08-2014

Ran by Administrator (administrator) on FORUMADMINS on 03-08-2014 17:16:55

Running from C:\Users\Administrator\Desktop

Platform: Windows Server 2008 R2 Enterprise Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Normal

 

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(Microsoft Corporation) C:\Windows\System32\dns.exe

(Apache Software Foundation) C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exe

(hMailServer) C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe

(Microsoft Corporation) C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe

() D:\mysql-5.5.9\bin\mysqld.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

() C:\Users\Administrator\Downloads\NetMeter.exe

(Microsoft Corporation) C:\Windows\System32\inetsrv\InetMgr.exe

(Microsoft Corporation) C:\Windows\System32\LogonUI.exe

(Microsoft Corporation) C:\Windows\System32\rdpclip.exe

(Halvar Information) C:\Program Files (x86)\hMailServer\Bin\hMailAdmin.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

(Microsoft Corporation) C:\Windows\System32\vds.exe

(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe

(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe

(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe

(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe

(The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe

(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe

(The PHP Group) C:\inetpub\php-5.5.0-nts\php-cgi.exe

(The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe

(The PHP Group) C:\inetpub\php-5.4.22-nts\php-cgi.exe

(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [532040 2013-04-04] (Malwarebytes Corporation)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKLM\...\Policies\Explorer: [showSuperHidden] 1

HKU\S-1-5-21-3518012042-1827334665-130950791-500\...\Run: [NetMeter] => C:\Users\Administrator\Downloads\NetMeter.exe [296960 2009-02-10] ()

Lsa: [Notification Packages] scecli rassfm

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig

BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

DPF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab

Tcpip\..\Interfaces\{1C892D5B-3031-404C-99FD-33D96921F52B}: [NameServer]4.2.2.2,4.2.2.1,8.8.8.8

 

FireFox:

========

FF Plugin: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)

 

==================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

S2 DeltaCopyService; C:\DeltaCopy\DCServce.exe [683008 2011-01-07] (Synametrics Technologies) [File not signed]

R2 DNS; C:\Windows\system32\dns.exe [696832 2011-12-26] (Microsoft Corporation)

R2 elasticsearch-service-x64; C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exe [103936 2013-12-22] (Apache Software Foundation) [File not signed]

S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)

R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-06-01] (Microsoft Corporation)

R2 hMailServer; C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe [6067712 2014-06-07] (hMailServer) [File not signed]

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)

R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)

R2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [80472 2012-09-06] (Microsoft Corporation)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)

R2 MySQL; D:\mysql-5.5.9\bin\mysqld.exe [9631232 2011-03-13] () [File not signed]

S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)

S3 rqs; C:\Windows\system32\rqs.exe [41472 2010-11-20] (Microsoft Corporation)

S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)

S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)

R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)

S2 WLMS; C:\Windows\system32\wlms\wlms.exe [19456 2010-11-21] (Microsoft Corporation)

S2 WinQvods; C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exe -k [X]

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)

S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)

S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam620.sys [58512 2012-07-03] (Realtek Corporation)

S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)

S3 VLAN; C:\Windows\System32\DRIVERS\RtVLAN620.sys [32400 2012-09-01] (Realtek Corporation)

S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]

S3 MSICDSetup; \??\E:\CDriver64.sys [X]

S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]

S1 qsscomnl; \??\C:\Windows\system32\drivers\qsscomnl.sys [X]

S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]

S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]

S3 VMSMP; system32\DRIVERS\vmswitch.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-08-03 17:16 - 2014-08-03 17:17 - 00008573 _____ () C:\Users\Administrator\Desktop\FRST.txt

2014-08-03 17:16 - 2014-08-03 17:17 - 00000000 ____D () C:\FRST

2014-08-03 17:16 - 2014-08-03 17:16 - 02094080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe

2014-08-03 17:13 - 2014-08-03 17:13 - 00000000 ____D () C:\Users\Administrator\Documents\Stuff

2014-08-02 23:55 - 2014-08-02 23:55 - 00000000 ____D () C:\Program Files (x86)\ESET

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-08-02 18:03 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-08-02 18:00 - 2014-08-02 18:00 - 00000000 ____D () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business

2014-08-02 18:00 - 2014-08-02 17:59 - 67187077 _____ () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business.zip

2014-08-02 17:43 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll

2014-08-02 17:43 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll

2014-08-02 17:43 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll

2014-08-02 17:43 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe

2014-08-02 17:43 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll

2014-08-02 17:43 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll

2014-08-02 17:43 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll

2014-08-02 17:43 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll

2014-08-02 17:43 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll

2014-08-02 17:43 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll

2014-08-02 17:43 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll

2014-08-02 17:43 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll

2014-08-02 17:43 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe

2014-08-02 17:43 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

2014-08-02 06:19 - 2014-08-02 06:23 - 00004918 __RSH () C:\ProgramData\ntuser.pol

2014-08-02 06:00 - 2014-08-03 17:17 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\2

2014-08-01 21:43 - 2014-01-08 21:22 - 05694464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll

2014-08-01 21:43 - 2014-01-03 17:44 - 06574592 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll

2014-08-01 17:58 - 2013-10-01 21:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys

2014-08-01 17:58 - 2013-10-01 21:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe

2014-08-01 17:58 - 2013-10-01 21:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll

2014-08-01 17:58 - 2013-10-01 20:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll

2014-08-01 17:58 - 2013-10-01 20:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll

2014-08-01 17:58 - 2013-10-01 20:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll

2014-08-01 17:58 - 2013-10-01 20:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll

2014-08-01 17:58 - 2013-10-01 19:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll

2014-08-01 17:58 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll

2014-08-01 17:58 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll

2014-08-01 17:58 - 2013-10-01 19:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe

2014-08-01 17:58 - 2013-10-01 19:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe

2014-08-01 17:58 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll

2014-08-01 17:58 - 2013-10-01 18:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe

2014-08-01 17:58 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll

2014-08-01 17:58 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe

2014-08-01 17:58 - 2013-09-24 21:23 - 01030144 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll

2014-08-01 17:58 - 2013-09-24 20:57 - 00792576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll

2014-07-27 02:04 - 2014-07-27 02:04 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Apps\2.0

2014-07-26 10:19 - 2014-07-26 10:19 - 00000019 _____ () C:\Users\Administrator\Documents\dns2.txt

2014-07-26 10:18 - 2014-07-26 10:18 - 00001255 _____ () C:\Users\Administrator\Documents\dns.txt

2014-07-13 13:22 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Umar_Temp.bmp

2014-07-13 13:21 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PhotoFoxRZ.bmp

2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BobS.bmp

2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BeeCeeBee10112011.bmp

2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\admini.bmp

2014-07-08 22:28 - 2014-06-17 21:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe

2014-07-08 22:28 - 2014-06-17 20:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe

2014-07-08 22:28 - 2014-06-17 20:10 - 03157504 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2014-07-08 22:28 - 2014-06-05 09:45 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2014-07-08 22:28 - 2014-06-05 09:26 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2014-07-08 22:28 - 2014-06-05 09:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2014-07-08 22:28 - 2014-05-30 03:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2014-07-08 22:28 - 2014-05-30 03:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2014-07-08 22:28 - 2014-05-30 03:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll

2014-07-08 22:28 - 2014-05-30 03:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll

2014-07-08 22:28 - 2014-05-30 03:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll

2014-07-08 22:28 - 2014-05-30 03:08 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll

2014-07-08 22:28 - 2014-05-30 03:08 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll

2014-07-08 22:28 - 2014-05-30 02:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

2014-07-08 22:28 - 2014-05-30 02:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll

2014-07-08 22:28 - 2014-05-30 02:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2014-07-08 22:28 - 2014-05-30 02:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2014-07-08 22:28 - 2014-05-30 02:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll

2014-07-08 22:28 - 2014-05-30 02:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll

2014-07-08 22:28 - 2014-05-30 02:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll

2014-07-08 22:28 - 2014-05-30 01:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys

2014-07-08 22:27 - 2014-06-20 15:14 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll

2014-07-08 22:27 - 2014-06-20 14:39 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2014-07-08 22:27 - 2014-06-18 20:39 - 23464448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-07-08 22:27 - 2014-06-18 20:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-07-08 22:27 - 2014-06-18 20:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll

2014-07-08 22:27 - 2014-06-18 19:48 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2014-07-08 22:27 - 2014-06-18 19:42 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2014-07-08 22:27 - 2014-06-18 19:42 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2014-07-08 22:27 - 2014-06-18 19:41 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll

2014-07-08 22:27 - 2014-06-18 19:41 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll

2014-07-08 22:27 - 2014-06-18 19:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2014-07-08 22:27 - 2014-06-18 19:31 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2014-07-08 22:27 - 2014-06-18 19:26 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2014-07-08 22:27 - 2014-06-18 19:24 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2014-07-08 22:27 - 2014-06-18 19:24 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe

2014-07-08 22:27 - 2014-06-18 19:23 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll

2014-07-08 22:27 - 2014-06-18 19:16 - 17276416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2014-07-08 22:27 - 2014-06-18 19:14 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe

2014-07-08 22:27 - 2014-06-18 19:09 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2014-07-08 22:27 - 2014-06-18 18:59 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll

2014-07-08 22:27 - 2014-06-18 18:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2014-07-08 22:27 - 2014-06-18 18:53 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2014-07-08 22:27 - 2014-06-18 18:51 - 05721088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2014-07-08 22:27 - 2014-06-18 18:50 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2014-07-08 22:27 - 2014-06-18 18:48 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2014-07-08 22:27 - 2014-06-18 18:39 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2014-07-08 22:27 - 2014-06-18 18:38 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2014-07-08 22:27 - 2014-06-18 18:37 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2014-07-08 22:27 - 2014-06-18 18:36 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll

2014-07-08 22:27 - 2014-06-18 18:35 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll

2014-07-08 22:27 - 2014-06-18 18:33 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2014-07-08 22:27 - 2014-06-18 18:32 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2014-07-08 22:27 - 2014-06-18 18:28 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2014-07-08 22:27 - 2014-06-18 18:28 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2014-07-08 22:27 - 2014-06-18 18:27 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2014-07-08 22:27 - 2014-06-18 18:27 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll

2014-07-08 22:27 - 2014-06-18 18:25 - 00442368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2014-07-08 22:27 - 2014-06-18 18:23 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2014-07-08 22:27 - 2014-06-18 18:22 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll

2014-07-08 22:27 - 2014-06-18 18:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll

2014-07-08 22:27 - 2014-06-18 18:06 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll

2014-07-08 22:27 - 2014-06-18 18:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2014-07-08 22:27 - 2014-06-18 17:59 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2014-07-08 22:27 - 2014-06-18 17:58 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2014-07-08 22:27 - 2014-06-18 17:58 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2014-07-08 22:27 - 2014-06-18 17:52 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2014-07-08 22:27 - 2014-06-18 17:51 - 13527040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2014-07-08 22:27 - 2014-06-18 17:49 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2014-07-08 22:27 - 2014-06-18 17:46 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll

2014-07-08 22:27 - 2014-06-18 17:45 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2014-07-08 22:27 - 2014-06-18 17:35 - 11742208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2014-07-08 22:27 - 2014-06-18 17:34 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2014-07-08 22:27 - 2014-06-18 17:15 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2014-07-08 22:27 - 2014-06-18 17:13 - 01791488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2014-07-08 22:27 - 2014-06-18 17:09 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2014-07-08 22:27 - 2014-06-18 17:07 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-08-03 17:17 - 2014-08-03 17:16 - 00008573 _____ () C:\Users\Administrator\Desktop\FRST.txt

2014-08-03 17:17 - 2014-08-03 17:16 - 00000000 ____D () C:\FRST

2014-08-03 17:17 - 2014-08-02 06:00 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\2

2014-08-03 17:16 - 2014-08-03 17:16 - 02094080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe

2014-08-03 17:13 - 2014-08-03 17:13 - 00000000 ____D () C:\Users\Administrator\Documents\Stuff

2014-08-03 17:12 - 2011-03-12 17:11 - 00000000 ____D () C:\Windows\system32\dns

2014-08-03 17:10 - 2011-03-12 18:29 - 01194560 _____ () C:\Windows\WindowsUpdate.log

2014-08-03 16:35 - 2009-07-13 23:49 - 00024176 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-08-03 16:35 - 2009-07-13 23:49 - 00024176 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-08-02 23:55 - 2014-08-02 23:55 - 00000000 ____D () C:\Program Files (x86)\ESET

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-08-02 18:03 - 2014-08-02 18:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-08-02 18:00 - 2014-08-02 18:00 - 00000000 ____D () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business

2014-08-02 17:59 - 2014-08-02 18:00 - 67187077 _____ () C:\Users\Administrator\Documents\Malwarebytes_Anti-Malware-for-Business.zip

2014-08-02 17:32 - 2011-06-11 06:19 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PHP_User.bmp

2014-08-02 17:32 - 2011-06-11 06:19 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp

2014-08-02 14:32 - 2011-03-12 17:11 - 00000000 ____D () C:\inetpub

2014-08-02 06:23 - 2014-08-02 06:19 - 00004918 __RSH () C:\ProgramData\ntuser.pol

2014-08-02 05:58 - 2009-07-14 00:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-08-02 05:58 - 2009-07-13 23:56 - 00032453 _____ () C:\Windows\setupact.log

2014-08-01 22:22 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache

2014-08-01 21:45 - 2010-11-20 22:47 - 00196556 _____ () C:\Windows\PFRO.log

2014-07-27 02:04 - 2014-07-27 02:04 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Apps\2.0

2014-07-26 16:45 - 2011-10-23 10:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hMailServer

2014-07-26 16:45 - 2011-10-23 10:09 - 00000000 ____D () C:\Program Files (x86)\hMailServer

2014-07-26 10:19 - 2014-07-26 10:19 - 00000019 _____ () C:\Users\Administrator\Documents\dns2.txt

2014-07-26 10:18 - 2014-07-26 10:18 - 00001255 _____ () C:\Users\Administrator\Documents\dns.txt

2014-07-26 10:14 - 2011-03-12 21:52 - 00000000 ____D () C:\Users\Administrator\Documents\Tools

2014-07-26 00:12 - 2013-04-14 12:41 - 00016585 _____ () C:\Users\Administrator\AppData\Local\Temp\chrome_installer.log

2014-07-26 00:12 - 2013-04-14 12:41 - 00000000 ____D () C:\Program Files (x86)\Google

2014-07-25 23:43 - 2009-07-14 00:10 - 00810646 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-07-25 23:35 - 2012-07-04 12:30 - 00000000 ____D () C:\Program Files\Microsoft Silverlight

2014-07-25 23:35 - 2012-07-04 12:30 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight

2014-07-24 03:01 - 2012-07-04 12:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

2014-07-13 13:22 - 2014-07-13 13:22 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\Umar_Temp.bmp

2014-07-13 13:22 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\PhotoFoxRZ.bmp

2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BobS.bmp

2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\BeeCeeBee10112011.bmp

2014-07-13 13:21 - 2014-07-13 13:21 - 00031832 _____ () C:\Users\Administrator\AppData\Local\Temp\admini.bmp

2014-07-12 23:00 - 2011-03-12 18:33 - 00000000 ____D () C:\Users\Administrator

2014-07-09 03:20 - 2009-07-13 23:49 - 00267240 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-07-09 03:19 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism

2014-07-09 03:19 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\Dism

2014-07-09 03:03 - 2013-08-13 20:52 - 00000000 ____D () C:\Windows\system32\MRT

2014-07-09 03:02 - 2011-07-13 16:53 - 96441528 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-07-28 00:35

 

==================== End Of Log ============================

  • FPCH Admin
Posted

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-08-2014

Ran by Administrator at 2014-08-03 17:17:42

Running from C:\Users\Administrator\Desktop

Boot Mode: Normal

==========================================================

 

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

Helicon Ape (HKLM-x32\...\{2BBFCEFA-33AF-4A8B-8041-2216B87DEAE1}) (Version: 3.0.0062 - Helicon Tech)

Helicon Zoo native module for IIS7 (HKLM\...\{77947360-D1ED-4AEB-B1FD-501205B4CE5F}) (Version: 2.0.77.328 - Helicon Tech)

hMailServer 5.4.2-B1964 (HKLM-x32\...\hMailServer_is1) (Version: - )

IIS URL Rewrite Module 2 (HKLM\...\{EB675D0A-2C95-405B-BEE8-B42A65D23E11}) (Version: 7.2.2 - Microsoft Corporation)

Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1912 - Intel Corporation)

Java 7 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417045FF}) (Version: 7.0.450 - Oracle)

Java SE Development Kit 7 Update 45 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170450}) (Version: 1.7.0.450 - Oracle)

Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)

Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden

Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden

Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)

Microsoft SQL Server Compact 3.5 ENU (HKLM-x32\...\{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}) (Version: 3.5.5386.0 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)

Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden

Microsoft Web Deploy 2.0 (HKLM\...\{5134B35A-B559-4762-94A4-FD4918977953}) (Version: 2.0.1070 - Microsoft Corporation)

Microsoft Web Deploy 3.0 (HKLM\...\{AA72C306-30BE-4BB1-9E42-59552BAD2CDF}) (Version: 3.1236.1631 - Microsoft Corporation)

Microsoft Web Platform Installer 4.5 (HKLM\...\{458707CD-9D7A-477F-B925-02242A29673B}) (Version: 4.0.1863 - Microsoft Corporation)

MySQL Connector Net 6.3.7 (HKLM-x32\...\{5FD88490-011C-4DF1-B886-F298D955171B}) (Version: 6.3.7 - Oracle)

PHP Manager 1.2 for IIS 7 (HKLM\...\{E851486F-1FE2-44F0-85ED-F969088A68EE}) (Version: 1.2.0 - )

Python 2.7.3 (HKLM-x32\...\{C0C31BCC-56FB-42a7-8766-D29E1BD74C7C}) (Version: 2.7.3150 - Python Software Foundation)

Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.23.623.2010 - Realtek)

Realtek Ethernet Diagnostic Utility (HKLM-x32\...\{DADC7AB0-E554-4705-9F6A-83EA82ED708E}) (Version: 2.0.2.3 - Realtek)

System Requirements Lab (HKLM-x32\...\SystemRequirementsLab) (Version: - )

 

==================== Custom CLSID (selected items): ==========================

 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

 

 

==================== Restore Points =========================

 

Could not list Restore Points. Check "winmgmt" service or repair WMI.

 

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

 

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)

Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)

Task: {A22EF847-A656-4D36-AE6E-CC92341CF5A8} - System32\Tasks\MySQL Backup => D:\MySQLBackups\mysqlbackup.bat [2013-01-16] ()

Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)

Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)

 

==================== Loaded Modules (whitelisted) =============

 

2011-03-13 10:37 - 2011-03-13 10:34 - 09631232 _____ () D:\mysql-5.5.9\bin\mysqld.exe

2011-03-12 17:24 - 2009-02-10 17:09 - 00296960 _____ () C:\Users\Administrator\Downloads\NetMeter.exe

2013-11-23 19:53 - 2012-06-26 16:17 - 00626176 _____ () C:\inetpub\php-5.4.22-nts\ext\ioncube_loader_win_5.4.dll

2013-11-23 19:50 - 2013-11-23 19:50 - 00097792 _____ () C:\inetpub\php-5.4.22-nts\LIBPQ.dll

2014-02-13 17:21 - 2014-02-08 14:16 - 01304576 _____ () C:\ImageMagick\CORE_RL_magick_.dll

2014-02-13 17:21 - 2014-02-08 14:16 - 00224256 _____ () C:\ImageMagick\CORE_RL_lcms_.dll

 

==================== Alternate Data Streams (whitelisted) =========

 

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

 

 

==================== Safe Mode (whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

 

==================== EXE Association (whitelisted) =============

 

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

 

==================== MSCONFIG/TASK MANAGER disabled items =========

 

(Currently there is no automatic fix for this section.)

 

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (08/03/2014 01:36:51 AM) (Source: SideBySide) (EventID: 80) (User: )

Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.

A component version required by the application conflicts with another component version already active.

Conflicting components are:.

Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.

Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

 

Error: (08/02/2014 06:00:30 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/02/2014 05:59:47 AM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: WinQvodPlayer.exe, version: 0.0.0.0, time stamp: 0x2a425e19

Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x53159a86

Exception code: 0x0eedfade

Fault offset: 0x0000c42d

Faulting process id: 0x3b8

Faulting application start time: 0xWinQvodPlayer.exe0

Faulting application path: WinQvodPlayer.exe1

Faulting module path: WinQvodPlayer.exe2

Report Id: WinQvodPlayer.exe3

 

Error: (08/02/2014 05:59:02 AM) (Source: VSS) (EventID: 8193) (User: )

Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.

.

 

 

Operation:

Initializing Writer

 

Context:

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer

Writer Instance ID: {b4075191-6a22-44e2-9802-8eefe0ea871d}

 

Error: (08/02/2014 05:58:03 AM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: elasticsearch-service-x64.exe, version: 1.0.15.0, time stamp: 0x51543b9d

Faulting module name: jvm.dll, version: 24.45.0.8, time stamp: 0x5254099f

Exception code: 0xc0000005

Fault offset: 0x00000000001ccf58

Faulting process id: 0x580

Faulting application start time: 0xelasticsearch-service-x64.exe0

Faulting application path: elasticsearch-service-x64.exe1

Faulting module path: elasticsearch-service-x64.exe2

Report Id: elasticsearch-service-x64.exe3

 

Error: (08/01/2014 09:47:31 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 09:46:49 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: WinQvodPlayer.exe, version: 0.0.0.0, time stamp: 0x2a425e19

Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x53159a86

Exception code: 0x0eedfade

Fault offset: 0x0000c42d

Faulting process id: 0x488

Faulting application start time: 0xWinQvodPlayer.exe0

Faulting application path: WinQvodPlayer.exe1

Faulting module path: WinQvodPlayer.exe2

Report Id: WinQvodPlayer.exe3

 

Error: (08/01/2014 09:46:06 PM) (Source: VSS) (EventID: 8193) (User: )

Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.

.

 

 

Operation:

Initializing Writer

 

Context:

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer

Writer Instance ID: {36a85e37-144b-463c-ac23-261c5c15af42}

 

Error: (08/01/2014 09:45:08 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: elasticsearch-service-x64.exe, version: 1.0.15.0, time stamp: 0x51543b9d

Faulting module name: jvm.dll, version: 24.45.0.8, time stamp: 0x5254099f

Exception code: 0xc0000005

Fault offset: 0x00000000001ccf58

Faulting process id: 0x574

Faulting application start time: 0xelasticsearch-service-x64.exe0

Faulting application path: elasticsearch-service-x64.exe1

Faulting module path: elasticsearch-service-x64.exe2

Report Id: elasticsearch-service-x64.exe3

 

 

System errors:

=============

Error: (08/03/2014 05:17:05 PM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 03:47:41 PM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 02:27:18 PM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 01:09:17 PM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 11:38:24 AM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 09:48:30 AM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 08:37:13 AM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 07:22:42 AM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 06:22:26 AM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

Error: (08/03/2014 05:21:24 AM) (Source: TermDD) (EventID: 50) (User: )

Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

 

 

Microsoft Office Sessions:

=========================

Error: (08/03/2014 01:36:51 AM) (Source: SideBySide) (EventID: 80) (User: )

Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestc:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe

 

Error: (08/02/2014 06:00:30 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/02/2014 05:59:47 AM) (Source: Application Error) (EventID: 1000) (User: )

Description: WinQvodPlayer.exe0.0.0.02a425e19KERNELBASE.dll6.1.7601.1840953159a860eedfade0000c42d3b801cfae40d382801eC:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exeC:\Windows\syswow64\KERNELBASE.dll1d4a7d00-1a34-11e4-8bcd-6c626d8a1b2a

 

Error: (08/02/2014 05:59:02 AM) (Source: VSS) (EventID: 8193) (User: )

Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.

 

 

Operation:

Initializing Writer

 

Context:

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer

Writer Instance ID: {b4075191-6a22-44e2-9802-8eefe0ea871d}

 

Error: (08/02/2014 05:58:03 AM) (Source: Application Error) (EventID: 1000) (User: )

Description: elasticsearch-service-x64.exe1.0.15.051543b9djvm.dll24.45.0.85254099fc000000500000000001ccf5858001cfadfbe8a58c56C:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exeC:\Program Files\Java\jdk1.7.0_45\jre\bin\server\jvm.dlldf9741e6-1a33-11e4-9ec3-6c626d8a1b2a

 

Error: (08/01/2014 09:47:31 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 09:46:49 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: WinQvodPlayer.exe0.0.0.02a425e19KERNELBASE.dll6.1.7601.1840953159a860eedfade0000c42d48801cfadfbf5631d46C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exeC:\Windows\syswow64\KERNELBASE.dll3fa976ca-19ef-11e4-9ec3-6c626d8a1b2a

 

Error: (08/01/2014 09:46:06 PM) (Source: VSS) (EventID: 8193) (User: )

Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.

 

 

Operation:

Initializing Writer

 

Context:

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer

Writer Instance ID: {36a85e37-144b-463c-ac23-261c5c15af42}

 

Error: (08/01/2014 09:45:08 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: elasticsearch-service-x64.exe1.0.15.051543b9djvm.dll24.45.0.85254099fc000000500000000001ccf5857401cfaddc9b6f7bbeC:\elasticsearch-0.90.9\bin\elasticsearch-service-x64.exeC:\Program Files\Java\jdk1.7.0_45\jre\bin\server\jvm.dll03875f56-19ef-11e4-b2f7-6c626d8a1b2a

 

 

==================== Memory info ===========================

 

Percentage of memory in use: 54%

Total physical RAM: 8182.24 MB

Available physical RAM: 3707.11 MB

Total Pagefile: 16362.66 MB

Available Pagefile: 11764.45 MB

Total Virtual: 8192 MB

Available Virtual: 8191.84 MB

 

==================== Drives ================================

 

Drive c: (Windows) (Fixed) (Total:472.43 GB) (Free:411.6 GB) NTFS

Drive d: (Programs) (Fixed) (Total:458.98 GB) (Free:350.23 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 78C6DD2D)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=472 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=459 GB) - (Type=07 NTFS)

 

==================== End Of Log ============================

Posted

Hi Bob,

 

There's really much to go on in the reports.

 

I also run Malwarebytes Pro for business and NOD32 for enterprise.

This server is showing that MSSE is installed?

 

There were incoming requests to rejoice.exe

This in itself isn't good:

http://www.bleepingcomputer.com/startups/rejoice.exe-13732.html

 

As you will see it's normally started via the Shell= line in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

But there's no sign of any abnormal shell entry in the reports..... by all means check the registry though. ( as i know you are capable)

although there's no sign of the file, i'll still add the file path to the fix (along with the file missing entries ).... just in case.

Then we'll get a report from RK which should hopefully give us an idea of any rootkit still residing.

 

Step 1

Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.

NOTE.

It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on that particular machine.

Running this on another machine may cause damage to your operating system

 

Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

 

0df4bc680758f78740215d6a95eed89e.png

 

The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.

 

 

Step 2

Download RogueKiller and save it to your desktop.

  • Close all running processes (security programs etc )
  • Double click RogueKiller icon to run the program
    Vista/Win7/Win8 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Now click the Scan button.
  • Please copy and paste the report in your next reply.

A copy of the RKreport.txt can be found on your desktop.

 

Note:

If RogueKiller is blocked, do not hesitate to try running it again.

If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon and try again.

 

 

In your next reply, please submit:

fixlog.txt

RKreport.txt

 

 

Thanks.

fixlist.txt

76c90dd0e79a714317a8daeecc1584d2.png

  • FPCH Admin
Posted

Fix results:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-08-2014

Ran by Administrator at 2014-08-04 16:56:18 Run:1

Running from C:\Users\Administrator\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

S2 WinQvods; C:\Program Files\Common Files\Microsoft Shared\MSINFO\WinQvodPlayer.exe -k [X]

S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]

S3 MSICDSetup; \??\E:\CDriver64.sys [X]

S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]

S1 qsscomnl; \??\C:\Windows\system32\drivers\qsscomnl.sys [X]

S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]

S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]

S3 VMSMP; system32\DRIVERS\vmswitch.sys [X]

C:\Windows\system32\rejoice.exe

Hosts:

 

 

*****************

 

WinQvods => Service deleted successfully.

IntcAzAudAddService => Service deleted successfully.

MSICDSetup => Service deleted successfully.

nvlddmkm => Service deleted successfully.

qsscomnl => Service deleted successfully.

vmci => Service deleted successfully.

VMnetAdapter => Service deleted successfully.

VMSMP => Service deleted successfully.

"C:\Windows\system32\rejoice.exe" => File/Directory not found.

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.

Hosts was reset successfully.

 

==== End of Fixlog ====

  • FPCH Admin
Posted

Rogue Killer log:

 

RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Administrator [Admin rights]

Mode : Scan -- Date : 08/04/2014 17:08:09

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 14 ¤¤¤

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> FOUND

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> FOUND

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> FOUND

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> FOUND

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> FOUND

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> FOUND

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3518012042-1827334665-130950791-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ HOSTS File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD1001FALS-00J7B0 ATA Device +++++

--- User ---

[MBR] e36b29ed5deb4d86d6431d847a232055

[bSP] 6bf05f4762bd9870a00d4f8a448a77b7 : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 483768 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 990963712 | Size: 469999 MB

User = LL1 ... OK

User = LL2 ... OK

Posted

Hi Bob,

 

I installed msse a couple hours before I did the scan.

Ok, that explains it then.

 

RK didn't find anything malicious.

 

What does surprise me is that you was running Eset Enterprise and it didn't detect anything.... but an Eset online scan did!

Did Eset save a copy of the scan report?

It would be interesting to see where it found the malware.

It normally saves a copy of the scan at: C:\Program Files\ESET\ESET Online Scanner\log.txt

76c90dd0e79a714317a8daeecc1584d2.png

  • FPCH Admin
Posted

What's more baffling is how the server was infected. I am the only with access to it. RDP is locked down to only allow access from local IPs and only my IPs from my main desktop and laptop. No external connections allowed.

 

I don't use it to surf the web or open email. The only time I log in to it is to rotate backups or test code. The only site running on it is a test site that is local only. It's the old server that we used for CHF.

 

I do know when the infection happened. It was on July 29TH at 4:56AM CST. The person who got in covered his tracks real good. The only clue was the date WinRar was installed. All event logs were cleared.

 

I looked at my router logs and I seen a syn flood on the border router, but the DDOS protection on the load balancer mitigated that.

 

The only thing I can think of is I might have opened up a hole with some of my code. I am working on some add ins to enhance remote management. It's either that or a zero day exploit in Windows 2008r2.

  • FPCH Admin
Posted

I found the attack vector. On the server I had a site that I closed a couple years ago. It was a blog with articles and tips for Windows Server users. I used Wordpress as the software.The version of Wordpress was in the early 3.0 branch. Since that was a test server I only had port 8080 and 443 for https open, but, I had IIS shutoff so any attempts to access any site would have gone to a null route. When I took the server out of the rack when I turned on the new server for CHF I put it to the side to be used as a backup server. Once I transferred the files from the backup to it I put it back online only connected to the local network. Or so I thought. I had forgot to remove 1 of the static public IPs. Also when I rebooted it IIS turned back on and I didn't think to turn it off. Long story short a hacker tool was used that probes for vulnerable Wordpress sites, found mine and used the exploit to upload a shell. Once that happened it was a free for all.

 

I have now removed the public IP and uninstalled IIS. Lesson learned never leave old vulnerable software open to the public.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...