Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS 2003 Server Infection (Possible Trojan)


  • Please log in to reply
8 replies to this topic

#1 dbitalia

dbitalia

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 03 April 2014 - 06:01 AM

Hi All

 

I have a client running sbs 2003 which has been infected with a possible Trojan.

I ran a hitman pro scan which came up clean and also a malware bytes scan which reported two infected registry keys. I am unable to run DDS as the application is not supported on sbs 2003 however I have updated the malware bytes log.

 

I quarantined the infected files however  I have also noticed that the anti virus is reporting is Trojan infection which again has been quarantined (See attached image)

 

I am also receiving the following error message when windows starts "csrss.exe, the application has failed to start because the basesrv was not found. Reinstalling the application may fix the problem"

 

Let me know your thoughts guys as I am not certain if the alerts are false positives.

 

Many Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:56 PM

Posted 08 April 2014 - 06:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/529779 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 dbitalia

dbitalia
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 08 April 2014 - 04:11 PM

Unable to produce dds log due to operating system: Small business 2003, 32bit



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:56 PM

Posted 09 April 2014 - 08:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#5 dbitalia

dbitalia
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 11 April 2014 - 01:02 PM

HI Nasdaq

 

RougeKiller Report Content:

 

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
 
Operating System : Windows Server 2003 (5.2.3790 Service Pack 2) 32 bits version
Started in : Normal mode
User : Dom [Admin rights]
Mode : Remove -- Date : 04/11/2014 18:59:18
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : dsmod.exe (C:\Documents and Settings\dom\Application Data\OpenOffice.org\3\user\uno_packages\fxsclnt.exe [x]) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : compact.exe (C:\Documents and Settings\dom\Application Data\OpenOffice.org\3\user\mqdssvc.exe [-]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-3867308571-1792914696-1875973369-1135\[...]\Run : dsmod.exe (C:\Documents and Settings\dom\Application Data\OpenOffice.org\3\user\uno_packages\fxsclnt.exe [x]) -> [0x2] The system cannot find the file specified. 
[RUN][SUSP PATH] HKUS\S-1-5-21-3867308571-1792914696-1875973369-1135\[...]\Run : compact.exe (C:\Documents and Settings\dom\Application Data\OpenOffice.org\3\user\mqdssvc.exe [-]) -> [0x2] The system cannot find the file specified. 
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
127.94.0.1 client.openvpn.net
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) ADAPTEC RAID 1 SCSI Disk Device +++++
--- User ---
[MBR] e6a6ec0cf64384216b174672e1f13873
[BSP] 01fbabdb4897936e4a64961daa52e98e : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 82568 MB
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 169180515 | Size: 394329 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ SCSI) WDC WD50 00AAKX-221CA1 SCSI Disk Device +++++
--- User ---
[MBR] 62dd884247fe3647c071ee63d62851d1
[BSP] 0db03aea5c609235d2f68ccbf6367cc4 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )
 
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ SCSI) WDC WD50 00AAKX-221CA1 SCSI Disk Device +++++
--- User ---
[MBR] cb6778e7c827ea5a71aa2bb6ec86e182
[BSP] 5c67032cb6fb8bc5aa7bc129bb23aaa8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )
 
+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ SCSI) WDC WD50 00AAKX-221CA1 SCSI Disk Device +++++
--- User ---
[MBR] f49526917779618c9b1664f1c54cad02
[BSP] 5f7e38eb9215626d8112908fd73df139 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )
 
Finished : << RKreport[0]_D_04112014_185918.txt >>
RKreport[0]_S_04112014_185510.txt


#6 dbitalia

dbitalia
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 11 April 2014 - 01:12 PM

FRST Log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-04-2014
Ran by Dom (administrator) on SBS on 11-04-2014 19:03:06
Running from C:\Documents and Settings\dom\My Documents\Downloads
Microsoft® Windows® Server 2003 for Small Business Server Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(SurfRight B.V.) C:\Program Files\HitmanPro.Alert\hmpalert.exe
(Acronis) C:\Program Files\Common Files\Acronis\Agent\agent.exe
(Acronis) C:\Program Files\Common Files\Acronis\FileServer\fileserver.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(Remote Monitoring) C:\Program Files\Advanced Monitoring Agent\winagent.exe
(APC) C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
(APC) C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
(Acronis) C:\Program Files\Acronis\ARSM\arsm.exe
(Microsoft Corporation) C:\WINDOWS\system32\certsrv.exe
(Dell Inc.) C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
(Dell Inc.) C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
(Microsoft Corporation) C:\WINDOWS\system32\Dfssvc.exe
(Microsoft Corporation) C:\WINDOWS\System32\dns.exe
(FileZilla Project) C:\Program Files\FileZilla Server\FileZilla Server.exe
(Microsoft Corporation) C:\WINDOWS\system32\inetsrv\inetinfo.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
() C:\Junari\Sage50Integration\JunariSage50Service.exe
(Microsoft Corporation) C:\WINDOWS\System32\llssrv.exe
(LSI  Logic Corporation) C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
(Microsoft Corporation) C:\WINDOWS\system32\ntfrs.exe
(Dell Inc.) C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
() D:\Open ERP\Server\service\OpenERPServerService.exe
() D:\Open ERP\Server\openerp-server.exe
() D:\Open ERP\Web\service\OpenERPWebService.exe
() D:\Open ERP\Web\openerp-web.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
(Microsoft) C:\Program Files\Common Files\Sage\Central\AutoUpdateClient\Sage.Central.AutoUpdateManager.Service.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
(Sage (UK) Limited) C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
(ThreatTrack Security, Inc.) C:\Program Files\Advanced Monitoring Agent\managedav\SBAMSvc.exe
(Microsoft Corporation) C:\WINDOWS\System32\sbscrexe.exe
() C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
(Microsoft Corporation) C:\WINDOWS\System32\snmp.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(Acresso) C:\Program Files\ViewPower2.08\upsMonitor.exe
(Microsoft Corporation) C:\WINDOWS\System32\wins.exe
(Sun Microsystems, Inc.) C:\Program Files\ViewPower2.08\jre\bin\javaw.exe
(Acronis) C:\Program Files\Acronis\PXEServer\pxesrv.exe
(Acronis) C:\Program Files\Acronis\AMS\ManagementServer.exe
(Microsoft Corporation) C:\WINDOWS\system32\tcpsvcs.exe
(Autonomy, Inc.) C:\Program Files\Iron Mountain\BackupEngine\LV_Super.exe
(Acronis) C:\Program Files\Acronis\BackupAndRecovery\mms.exe
(Autonomy, Inc.) C:\Program Files\Iron Mountain\BackupEngine\LV_Engine.exe
(Microsoft Corporation) C:\Program Files\Exchsrvr\bin\exmgmt.exe
(Microsoft Corporation) C:\Program Files\Exchsrvr\bin\mad.exe
(Microsoft Corporation) C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
(Microsoft Corporation) C:\Program Files\Exchsrvr\bin\store.exe
(Microsoft Corporation) C:\Program Files\Exchsrvr\bin\emsmta.exe
(Microsoft Corporation) C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe
(Apache Software Foundation) C:\Program Files\ViewPower2.08\tomcat\bin\tomcat6.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(Acronis) C:\Program Files\Acronis\TrayMonitor\TrayMonitor.exe
(Acronis) C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Managed Antivirus) C:\Program Files\Advanced Monitoring Agent\managedav\SBAMTray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(FaxVoip Software, LLC) C:\Program Files\FaxVoip\manager.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
(Dropbox, Inc.) C:\Documents and Settings\dom\Application Data\Dropbox\bin\Dropbox.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\tv_w32.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
(GFI Software Development Ltd.) C:\Program Files\Advanced Monitoring Agent\patchman\lnssatt.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\RaMaint.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
() C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\capiws.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [DWPersistentQueuedReporting] - C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [39264 2007-03-22] (Microsoft Corporation)
HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [391632 2012-09-25] (Acronis)
HKLM\...\Run: [BackupAndRecoveryMonitor.exe] - C:\Program Files\Acronis\BackupAndRecovery\BackupAndRecoveryMonitor.exe [1531216 2012-09-25] (Acronis)
HKLM\...\Run: [TrayMonitor.exe] - C:\Program Files\Acronis\TrayMonitor\TrayMonitor.exe [1496976 2012-09-25] (Acronis)
HKLM\...\Run: [JobHisInit] - C:\Program Files\RDS\RMClient\JobHisInit.exe [229481 2007-08-30] (RICOH COMPANY,LTD.)
HKLM\...\Run: [MplSetUp] - C:\Program Files\RDS\RMClient\MplSetUp.exe [49254 2007-08-30] (RICOH COMPANY,LTD.)
HKLM\...\Run: [AcronisTibMounterMonitor] - C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1105288 2012-08-16] (Acronis)
HKLM\...\Run: [KeePass 2 PreLoad] - C:\Program Files\KeePass Password Safe 2\KeePass.exe [1937920 2013-02-03] (Dominik Reichl)
HKLM\...\Run: [FileZilla Server Interface] - C:\Program Files\FileZilla Server\FileZilla Server Interface.exe [1044992 2012-02-26] (FileZilla Project)
HKLM\...\Run: [SBAMTray] - C:\Program Files\Advanced Monitoring Agent\managedav\SBAMTray.exe [3232152 2013-05-28] (Managed Antivirus)
HKLM\...\Run: [LogMeIn GUI] - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [Fax Voip Manager] - C:\Program Files\FaxVoip\manager.exe [294912 2009-11-23] (FaxVoip Software, LLC)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\Run: [UserFaultCheck] - %systemroot%\system32\dumprep 0 -u
HKLM\...\Winlogon: [UIHost] %SystemRoot%\system32\logonui.exe [x ] ()
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKU\.DEFAULT\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [44032 2005-05-12] (Microsoft Corporation)
HKU\S-1-5-19\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [44032 2005-05-12] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [44032 2005-05-12] (Microsoft Corporation)
HKU\S-1-5-21-3867308571-1792914696-1875973369-1135\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-21-3867308571-1792914696-1875973369-1135\...\MountPoints2: {9369fd12-852c-11df-8a68-000e0c8138c2} - "F:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3867308571-1792914696-1875973369-1624\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [44032 2005-05-12] (Microsoft Corporation)
HKU\S-1-5-21-3867308571-1792914696-1875973369-1624\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-21-3867308571-1792914696-1875973369-1667\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [44032 2005-05-12] (Microsoft Corporation)
HKU\S-1-5-21-3867308571-1792914696-1875973369-1667\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-21-3867308571-1792914696-1875973369-1668\...\RunOnce: [tscuninstall] - C:\WINDOWS\system32\tscupgrd.exe [44032 2005-05-12] (Microsoft Corporation)
HKU\S-1-5-21-3867308571-1792914696-1875973369-1668\...\Policies\Explorer: [NoWindowsUpdate] 0
Lsa: [Authentication Packages] msv1_0 relog_ap
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli dsrestor
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Server Management.lnk
ShortcutTarget: Server Management.lnk -> C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\dom\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Documents and Settings\dom\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Documents and Settings\dom\Start Menu\Programs\Startup\Server Management.lnk
ShortcutTarget: Server Management.lnk -> C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\fsit.admin\Start Menu\Programs\Startup\Server Management.lnk
ShortcutTarget: Server Management.lnk -> C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\fsit.admin\Start Menu\Programs\Startup\ViewPower.lnk
ShortcutTarget: ViewPower.lnk -> C:\Program Files\ViewPower2.08\ViewPower.exe (Acresso)
Startup: C:\Documents and Settings\Junari.CELLPACK\Start Menu\Programs\Startup\Server Management.lnk
ShortcutTarget: Server Management.lnk -> C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\lisaa\Start Menu\Programs\Startup\Server Management.lnk
ShortcutTarget: Server Management.lnk -> C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\sagelink\Start Menu\Programs\Startup\Server Management.lnk
ShortcutTarget: Server Management.lnk -> C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {6A6F4B83-45C5-4CA9-BDD9-0D81C12295E4} http://localhost/tsweb/msrdp.cab
Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{16A921AD-C400-46C9-87B9-D95D4FE5A985}: [NameServer]10.0.0.1
Tcpip\..\Interfaces\{62E9B1DC-BDF6-4676-A884-EF9F2D5A66DC}: [NameServer]192.168.254.1
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\dom\Application Data\Mozilla\Firefox\Profiles\w4iyap0g.default
FF user.js: detected! => C:\Documents and Settings\dom\Application Data\Mozilla\Firefox\Profiles\w4iyap0g.default\user.js
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Documents and Settings\dom\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\dom\Application Data\Mozilla\Firefox\Profiles\w4iyap0g.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-07-11]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} [2014-01-12]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
 
========================== Services (Whitelisted) =================
 
S3 Acronis VSS Provider; C:\WINDOWS\system32\dllhost.exe [5632 2007-02-17] (Microsoft Corporation)
R2 AcronisAgent; C:\Program Files\Common Files\Acronis\Agent\agent.exe [2021280 2012-07-12] (Acronis)
R2 AcronisFS; C:\Program Files\Common Files\Acronis\FileServer\fileserver.exe [4792560 2012-08-01] (Acronis)
R2 AcronisPXE; C:\Program Files\Acronis\PXEServer\pxesrv.exe [1903720 2012-08-01] (Acronis)
R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [801344 2012-09-25] (Acronis)
R2 Advanced Monitoring Agent; C:\Program Files\Advanced Monitoring Agent\winagent.exe [6998528 2013-12-18] (Remote Monitoring)
R2 AMS; C:\Program Files\Acronis\AMS\ManagementServer.exe [12507824 2012-09-25] (Acronis)
S4 AmsWebServer; C:\Program Files\Common Files\Acronis\WebServer\httpd.exe [18432 2011-10-31] (Apache Software Foundation)
R2 APCPBEAgent; C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe [34168 2010-09-30] (APC)
R2 APCPBEServer; C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe [54728 2010-09-30] (APC)
R2 ARSM; C:\Program Files\Acronis\ARSM\arsm.exe [5292056 2012-09-25] (Acronis)
R2 CertSvc; C:\WINDOWS\system32\certsrv.exe [316416 2007-02-17] (Microsoft Corporation)
R2 dcevt32; C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe [153848 2007-02-01] (Dell Inc.)
R2 dcstor32; C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe [198904 2007-02-01] (Dell Inc.)
R2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-17] (Microsoft Corporation)
R2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [21504 2005-05-12] (Microsoft Corporation)
R2 DNS; C:\WINDOWS\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)
S4 FaxVoip; C:\Program Files\FaxVoip\fvps.exe [225792 2009-09-08] ()
R2 FileZilla Server; C:\Program Files\FileZilla Server\FileZilla Server.exe [632320 2012-02-26] (FileZilla Project)
S4 FVlogman; C:\Program Files\FaxVoip\fvps.exe [225792 2009-09-08] ()
S3 FvpMail; C:\Program Files\FaxVoip\fvps.exe [225792 2009-09-08] ()
R2 gfi_lanss11_attservice; C:\Program Files\Advanced Monitoring Agent\patchman\lnssatt.exe [118640 2012-07-17] (GFI Software Development Ltd.)
R2 hmpalertsvc; C:\Program Files\HitmanPro.Alert\hmpalert.exe [1862480 2014-04-03] (SurfRight B.V.)
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 IMAP4Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S4 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-17] (Microsoft Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-12-18] (Oracle Corporation)
R2 Junari Sage 50 Service; C:\Junari\Sage50Integration\JunariSage50Service.exe [36864 2013-12-02] ()
R2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2005-05-12] (Microsoft Corporation)
R2 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-17] (Microsoft Corporation)
R2 LVBackupService; C:\Program Files\Iron Mountain\BackupEngine\LV_Super.exe [114176 2013-02-02] (Autonomy, Inc.)
S3 MFaxMail; C:\Program Files\FaxVoip\fvps.exe [225792 2009-09-08] ()
R2 MMS; C:\Program Files\Acronis\BackupAndRecovery\mms.exe [10172776 2012-09-25] (Acronis)
R2 mr2kserv; C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe [69632 2007-03-09] (LSI  Logic Corporation)
S3 MSExchangeES; C:\Program Files\Exchsrvr\bin\events.exe [94720 2003-06-03] (Microsoft Corporation)
R2 MSExchangeIS; C:\Program Files\Exchsrvr\bin\store.exe [5266432 2008-11-26] (Microsoft Corporation)
R2 MSExchangeMGMT; C:\Program Files\Exchsrvr\bin\exmgmt.exe [3217408 2005-08-25] (Microsoft Corporation)
R2 MSExchangeMTA; C:\Program Files\Exchsrvr\bin\emsmta.exe [3598848 2008-11-26] (Microsoft Corporation)
R2 MSExchangeSA; C:\Program Files\Exchsrvr\bin\mad.exe [8920064 2005-08-25] (Microsoft Corporation)
S4 MSExchangeSRS; C:\Program Files\Exchsrvr\bin\srsmain.exe [339456 2005-08-25] (Microsoft Corporation)
R2 MSPOP3Connector; C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe [33600 2005-04-30] (Microsoft Corporation)
R2 MSSEARCH; C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe [69632 2005-05-12] (Microsoft Corporation)
R2 MSSQL$ACRONIS; C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQL$MCAFEE; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S3 MSSQL$SBSMONITORING; C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe [9158656 2008-12-18] (Microsoft Corporation)
R2 MSSQL$SHAREPOINT; C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe [9158656 2008-12-16] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S4 NntpSvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-17] (Microsoft Corporation)
R2 omsad; C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe [22776 2007-03-07] (Dell Inc.)
R2 openerp-server-6.0; D:\Open ERP\Server\service\OpenERPServerService.exe [20992 2011-04-01] ()
R2 openerp-web-6.0; D:\Open ERP\Web\service\OpenERPWebService.exe [20992 2011-04-01] ()
R2 OpenVPNAccessClient; C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\capiws.exe [24064 2012-05-03] ()
R2 POP3Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 RESvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-17] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2005-05-12] (Microsoft Corporation)
R2 Sage AutoUpdate Manager Service; C:\Program Files\Common Files\Sage\Central\AutoUpdateClient\Sage.Central.AutoUpdateManager.Service.exe [8192 2013-06-04] (Microsoft)
R2 Sage SData Service; C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe [53248 2013-01-30] (Sage (UK) Limited)
R2 SBAMSvc; C:\Program Files\Advanced Monitoring Agent\managedav\SBAMSvc.exe [3681016 2013-05-28] (ThreatTrack Security, Inc.)
R2 Server Administrator; C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe [55544 2007-03-07] ()
R2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 SPTimer; C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE [31584 2007-04-19] (Microsoft Corporation)
S3 SQLAgent$SBSMONITORING; C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE [323584 2005-05-03] (Microsoft Corporation)
S3 SQLAgent$SHAREPOINT; C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE [323584 2008-12-16] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2005-05-12] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-17] (Microsoft Corporation)
R2 upsMonitor; C:\Program Files\ViewPower2.08\upsMonitor.exe [116224 2012-05-14] (Acresso)
R3 upsTomcat; C:\Program Files\ViewPower2.08\tomcat\bin\tomcat6.exe [57344 2011-04-15] (Apache Software Foundation)
R2 WINS; C:\WINDOWS\System32\wins.exe [158720 2011-08-10] (Microsoft Corporation)
R2 Eventlog;  [X]
R2 postgresql-8.3; C:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N "postgresql-8.3" -D "D:/Open ERP/PostgreSQL/8.3/data" -w [X]
S4 UPS;   [X]
S4 vtigercrmMysql510; D:\CRM\vtigercrm-5.1.0\mysql\bin\mysqld-nt --defaults-file=D:\CRM\vtigercrm-5.1.0\mysql\my.ini vtigercrmMysql510
S4 vtigercrmMysql520; D:\CRM\vtigercrm-5.2.0\mysql\bin\mysqld-nt --defaults-file=D:\CRM\vtigercrm-5.2.0\mysql\my.ini vtigercrmMysql520
S2 WDDMService; "C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe" [X]
S2 WDSmartWareBackgroundService; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe" [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
 
==================== Drivers (Whitelisted) ====================
 
R0 aarich; C:\WINDOWS\System32\drivers\aarich.sys [214528 2007-03-25] (Adaptec, Inc.)
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)
R3 dcdbas; C:\WINDOWS\System32\DRIVERS\dcdbas32.sys [31480 2007-02-27] (Dell Inc.)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)
R3 E1000; C:\WINDOWS\System32\DRIVERS\e1000325.sys [176128 2007-03-25] (Intel Corporation)
R2 EXIFS; C:\WINDOWS\system32\drivers\exifs.sys [196192 2005-08-25] (Microsoft Corporation)
R3 gfiark; C:\WINDOWS\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
R0 gfibto; C:\WINDOWS\System32\drivers\gfibto.sys [13560 2012-02-13] (GFI Software)
R3 gfiutil; C:\WINDOWS\System32\drivers\gfiutil.sys [24040 2013-09-04] (ThreatTrack Security)
R2 hmpalert; C:\WINDOWS\system32\drivers\hmpalert.sys [75104 2014-04-03] ()
R1 LV_Tracker; C:\WINDOWS\System32\DRIVERS\LV_Tracker.sys [54360 2012-07-25] ()
R0 mv91xx; C:\WINDOWS\System32\DRIVERS\mv91xx.sys [273712 2011-06-16] (Marvell Semiconductor, Inc.)
R2 sbapifs; C:\WINDOWS\System32\drivers\sbapifs.sys [68904 2013-05-07] (GFI Software)
R0 symmpi; C:\WINDOWS\System32\DRIVERS\symmpi.sys [40448 2007-03-25] (LSI Logic)
R0 tib_mounter; C:\WINDOWS\System32\DRIVERS\tib_mounter.sys [864712 2012-10-23] (Acronis)
R3 vcomdrv; C:\WINDOWS\System32\DRIVERS\vcomdrv.sys [37376 2008-10-22] (FaxVoip Software, LLC)
R2 virtual_file; C:\WINDOWS\System32\DRIVERS\virtual_file.sys [149608 2012-10-23] (Acronis)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-17] (Microsoft Corporation)
S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 cpqarry2; No ImagePath
S4 cpqcissm; No ImagePath
S4 cpqfcalm; No ImagePath
S4 dellcerc; No ImagePath
S4 elxstor; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S4 IntelIde; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
S4 LMIRfsClientNP; No ImagePath
S4 lp6nds35; No ImagePath
S4 nfrd960; No ImagePath
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath
S3 radpms; system32\DRIVERS\radpms.sys [X]
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)
S1 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)
U1 WS2IFSL; 
 
==================== NetSvcs (Whitelisted) ===================
 
NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
 
==================== One Month Created Files and Folders ========
 
2014-04-11 19:02 - 2014-04-11 19:03 - 00000000 ____D () C:\FRST
2014-04-11 18:59 - 2014-04-11 18:59 - 00003773 _____ () C:\Documents and Settings\dom\Desktop\RKreport[0]_D_04112014_185918.txt
2014-04-11 18:55 - 2014-04-11 18:55 - 00004022 _____ () C:\Documents and Settings\dom\Desktop\RKreport[0]_S_04112014_185510.txt
2014-04-11 18:48 - 2014-04-11 19:02 - 00000000 ____D () C:\Documents and Settings\dom\Desktop\RK_Quarantine
2014-04-11 18:43 - 2014-04-11 18:46 - 00002755 _____ () C:\Documents and Settings\dom\ovpntray.log
2014-04-11 18:42 - 2014-04-11 18:43 - 00018061 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-04-11 18:40 - 2014-04-11 18:40 - 00000000 ____D () C:\Program Files\OpenVPN Technologies
2014-04-11 18:38 - 2014-04-11 18:38 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-04-09 04:46 - 2014-04-11 18:42 - 00000000 ____D () C:\WINDOWS\LastGood
2014-04-09 04:46 - 2014-04-11 18:39 - 00014443 _____ () C:\WINDOWS\KB2922229.log
2014-04-09 04:46 - 2014-03-06 18:57 - 11113472 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET601.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 06021632 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET5F9.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 02006016 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET5FF.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 01216000 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET5F4.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 00920064 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET5F3.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 00630272 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET5FB.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET600.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 00105984 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET5F5.tmp
2014-04-09 04:46 - 2014-03-06 18:57 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\SET5FA.tmp
2014-03-24 23:54 - 2014-04-07 23:01 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-03-24 23:54 - 2014-04-07 10:21 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-03-24 23:54 - 2014-04-03 09:51 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-03-24 23:54 - 2014-04-03 09:50 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-03-17 10:08 - 2014-03-17 10:08 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2927811$
2014-03-17 10:07 - 2014-03-17 10:08 - 00004621 _____ () C:\WINDOWS\KB2927811.log
2014-03-17 10:07 - 2014-02-03 06:09 - 00220160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\kdcsvc.dll
2014-03-17 10:07 - 2014-02-03 06:09 - 00220160 _____ (Microsoft Corporation) C:\WINDOWS\system32\kdcsvc.dll
2014-03-16 11:32 - 2014-03-16 11:33 - 00011499 _____ () C:\WINDOWS\KB2925418-IE8.log
2014-03-16 11:32 - 2014-03-16 11:32 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2923392$
2014-03-16 11:31 - 2014-03-16 11:31 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-03-16 11:31 - 2014-03-16 11:31 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-03-12 13:47 - 2014-03-16 11:32 - 00009663 _____ () C:\WINDOWS\KB2923392.log
2014-03-12 13:47 - 2014-03-06 18:57 - 01216000 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlmon.dll
2014-03-12 13:47 - 2014-03-06 18:57 - 00920064 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wininet.dll
2014-03-12 13:47 - 2014-03-06 18:57 - 00105984 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\url.dll
2014-03-12 13:47 - 2014-02-24 10:08 - 11113472 ____N (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2014-03-12 13:47 - 2014-02-24 10:08 - 01216000 ____N (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2014-03-12 13:47 - 2014-02-24 10:08 - 00920064 ____N (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2014-03-12 13:47 - 2014-02-24 10:08 - 00630272 ____N (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2014-03-12 13:47 - 2014-02-24 10:08 - 00105984 ____N (Microsoft Corporation) C:\WINDOWS\system32\url.dll
2014-03-12 13:47 - 2014-02-24 10:08 - 00055296 ____N (Microsoft Corporation) C:\WINDOWS\system32\msfeedsbs.dll
2014-03-12 13:46 - 2014-03-16 11:32 - 00009179 _____ () C:\WINDOWS\KB2929961.log
2014-03-12 13:46 - 2014-03-16 11:31 - 00009870 _____ () C:\WINDOWS\KB2930275.log
 
==================== One Month Modified Files and Folders =======
 
2014-04-11 19:03 - 2014-04-11 19:02 - 00000000 ____D () C:\FRST
2014-04-11 19:03 - 2013-11-26 23:51 - 00000000 ____D () C:\WINDOWS\CryptoGuard
2014-04-11 19:03 - 2009-12-10 15:23 - 00000438 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{D7FE6972-CF30-4D7F-A802-FD04466C7DBF}.job
2014-04-11 19:02 - 2014-04-11 18:48 - 00000000 ____D () C:\Documents and Settings\dom\Desktop\RK_Quarantine
2014-04-11 19:00 - 2013-08-02 14:36 - 00000000 ____D () C:\Program Files\Advanced Monitoring Agent
2014-04-11 18:59 - 2014-04-11 18:59 - 00003773 _____ () C:\Documents and Settings\dom\Desktop\RKreport[0]_D_04112014_185918.txt
2014-04-11 18:55 - 2014-04-11 18:55 - 00004022 _____ () C:\Documents and Settings\dom\Desktop\RKreport[0]_S_04112014_185510.txt
2014-04-11 18:51 - 2009-11-23 17:10 - 01777469 _____ () C:\WINDOWS\WindowsUpdate.log
2014-04-11 18:49 - 2009-11-23 16:53 - 00000000 ____D () C:\WINDOWS\system32\inetsrv
2014-04-11 18:48 - 2009-11-23 17:16 - 00002584 _____ () C:\WINDOWS\system32\licstr.cpa
2014-04-11 18:46 - 2014-04-11 18:43 - 00002755 _____ () C:\Documents and Settings\dom\ovpntray.log
2014-04-11 18:44 - 2009-11-24 11:14 - 00002536 _____ () C:\WINDOWS\system32\config\netlogon.dnb
2014-04-11 18:44 - 2009-11-24 11:14 - 00002379 _____ () C:\WINDOWS\system32\config\netlogon.dns
2014-04-11 18:43 - 2014-04-11 18:42 - 00018061 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-04-11 18:43 - 2009-12-30 20:30 - 00000000 ____D () C:\Documents and Settings\dom
2014-04-11 18:43 - 2009-11-23 16:57 - 04359597 _____ () C:\WINDOWS\iis6.log
2014-04-11 18:43 - 2009-11-23 16:57 - 02807934 _____ () C:\WINDOWS\FaxSetup.log
2014-04-11 18:43 - 2009-11-23 16:57 - 02168334 _____ () C:\WINDOWS\ocgen.log
2014-04-11 18:43 - 2009-11-23 16:57 - 01402806 _____ () C:\WINDOWS\msmqinst.log
2014-04-11 18:43 - 2009-11-23 16:57 - 01250624 _____ () C:\WINDOWS\tsoc.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00905043 _____ () C:\WINDOWS\comsetup.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00814524 _____ () C:\WINDOWS\setupapi.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00639758 _____ () C:\WINDOWS\ntdtcsetup.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00482346 _____ () C:\WINDOWS\netfxocm.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00415501 _____ () C:\WINDOWS\aspnetocm.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00293979 _____ () C:\WINDOWS\LicenOc.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00129654 _____ () C:\WINDOWS\certocm.log
2014-04-11 18:43 - 2009-11-23 16:57 - 00004861 _____ () C:\WINDOWS\imsins.log
2014-04-11 18:42 - 2014-04-09 04:46 - 00000000 ____D () C:\WINDOWS\LastGood
2014-04-11 18:42 - 2013-08-28 19:56 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-04-11 18:42 - 2009-12-10 14:54 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-04-11 18:42 - 2009-12-09 21:48 - 00315690 _____ () C:\WINDOWS\updspapi.log
2014-04-11 18:42 - 2009-11-23 16:57 - 02463636 _____ () C:\WINDOWS\uddisetup.log
2014-04-11 18:42 - 2009-11-23 16:53 - 00000000 ____D () C:\WINDOWS\system32\dhcp
2014-04-11 18:41 - 2009-12-11 18:04 - 00000000 _____ () C:\WINDOWS\system32\signal.txt
2014-04-11 18:40 - 2014-04-11 18:40 - 00000000 ____D () C:\Program Files\OpenVPN Technologies
2014-04-11 18:39 - 2014-04-09 04:46 - 00014443 _____ () C:\WINDOWS\KB2922229.log
2014-04-11 18:39 - 2009-12-10 14:52 - 88028728 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-04-11 18:39 - 2009-11-23 16:57 - 00004861 _____ () C:\WINDOWS\imsins.BAK
2014-04-11 18:38 - 2014-04-11 18:38 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-04-11 18:27 - 2012-05-14 11:27 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-04-11 13:57 - 2009-11-23 16:53 - 00000000 ____D () C:\WINDOWS\security
2014-04-11 12:09 - 2013-08-09 08:57 - 00086888 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2014-04-11 12:09 - 2013-08-09 08:57 - 00031560 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIport.dll
2014-04-11 12:09 - 2013-08-09 08:56 - 00085832 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2014-04-11 12:09 - 2012-04-20 11:57 - 00000000 ____D () C:\Program Files\LogMeIn
2014-04-11 12:00 - 2013-06-26 18:17 - 00000492 _____ () C:\WINDOWS\Tasks\ShadowCopyVolume{c81f564c-d04c-11e2-8853-806e6f6e6963}.job
2014-04-11 12:00 - 2013-06-26 18:16 - 00000492 _____ () C:\WINDOWS\Tasks\ShadowCopyVolume{c81f564b-d04c-11e2-8853-806e6f6e6963}.job
2014-04-11 08:00 - 2011-11-07 23:53 - 00000248 _____ () C:\WINDOWS\Tasks\StartOpenERP daiy.job
2014-04-11 07:27 - 2009-11-23 17:15 - 00032414 _____ () C:\WINDOWS\Tasks\SchedLgU.Txt
2014-04-11 06:08 - 2013-08-02 14:59 - 00000000 ____D () C:\WINDOWS\Patches
2014-04-10 23:00 - 2011-08-10 23:19 - 00000254 _____ () C:\WINDOWS\Tasks\OpenERP Backup.job
2014-04-10 22:57 - 2013-11-26 23:51 - 00000000 ____D () C:\Program Files\HitmanPro.Alert
2014-04-10 20:00 - 2012-05-18 09:49 - 00000250 _____ () C:\WINDOWS\Tasks\D drive robocopy.job
2014-04-10 20:00 - 2010-03-26 22:25 - 00000000 ____D () C:\WINDOWS\system32\CertLog
2014-04-10 20:00 - 2009-11-24 11:09 - 00000000 ____D () C:\WINDOWS\NTDS
2014-04-10 20:00 - 2009-11-23 16:53 - 00000000 ____D () C:\WINDOWS\repair
2014-04-07 23:01 - 2014-03-24 23:54 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-07 10:29 - 2011-10-04 10:17 - 00000000 ____D () C:\Documents and Settings\dom\Application Data\Dropbox
2014-04-07 10:25 - 2009-11-23 16:57 - 01510940 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-04-07 10:21 - 2014-03-24 23:54 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-03 18:05 - 2011-10-04 10:22 - 00000000 ___RD () C:\Documents and Settings\dom\My Documents\Dropbox
2014-04-03 14:46 - 2009-11-23 16:53 - 00000000 ____D () C:\WINDOWS\system32\ias
2014-04-03 14:42 - 2009-11-23 17:09 - 00000000 ____D () C:\WINDOWS\Registration
2014-04-03 14:39 - 2009-11-24 17:52 - 00041859 _____ () C:\WINDOWS\system32\hmdebug.log
2014-04-03 14:39 - 2009-11-23 16:53 - 00000000 ____D () C:\WINDOWS\system32\wins
2014-04-03 14:38 - 2009-11-26 11:20 - 00051282 _____ () C:\WINDOWS\StorShMem-512-0-evt
2014-04-03 14:37 - 2011-11-07 23:51 - 00000248 _____ () C:\WINDOWS\Tasks\StartOpenERP.job
2014-04-03 14:37 - 2009-11-23 17:15 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-04-03 14:36 - 2009-11-23 17:15 - 00264866 _____ () C:\WINDOWS\PFRO.log
2014-04-03 14:32 - 2011-07-24 22:03 - 00000178 ___SH () C:\Documents and Settings\postgres\ntuser.ini
2014-04-03 14:32 - 2009-12-30 20:30 - 00000178 ___SH () C:\Documents and Settings\dom\ntuser.ini
2014-04-03 14:32 - 2009-11-24 11:10 - 00065536 _____ () C:\WINDOWS\system32\config\DnsEvent.Evt
2014-04-03 14:32 - 2009-11-24 11:09 - 00524288 _____ () C:\WINDOWS\system32\config\NTDS.Evt
2014-04-03 14:32 - 2009-11-24 11:09 - 00065536 _____ () C:\WINDOWS\system32\config\NtFrs.Evt
2014-04-03 13:38 - 2009-11-23 16:17 - 00003986 _____ () C:\WINDOWS\win.ini
2014-04-03 13:38 - 2009-11-23 16:17 - 00000227 _____ () C:\WINDOWS\system.ini
2014-04-03 09:52 - 2013-11-26 23:51 - 00472400 _____ (SurfRight) C:\WINDOWS\system32\hmpalert.dll
2014-04-03 09:52 - 2013-11-26 23:51 - 00075104 _____ () C:\WINDOWS\system32\Drivers\hmpalert.sys
2014-04-03 09:51 - 2014-03-24 23:54 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-04-03 09:50 - 2014-03-24 23:54 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-04-03 03:44 - 2009-11-23 16:18 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-04-02 20:39 - 2012-01-09 15:09 - 00000000 ____D () C:\Documents and Settings\dom\Application Data\KeePass
2014-04-01 03:45 - 2009-12-14 04:03 - 00000000 ____D () C:\WINDOWS\SxsCaPendDel
2014-03-24 10:02 - 2012-05-14 11:27 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-03-24 10:02 - 2012-05-14 11:27 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-03-17 19:56 - 2012-05-14 11:32 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-03-17 10:08 - 2014-03-17 10:08 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2927811$
2014-03-17 10:08 - 2014-03-17 10:07 - 00004621 _____ () C:\WINDOWS\KB2927811.log
2014-03-17 10:08 - 2014-01-12 20:24 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-16 18:14 - 2009-11-23 16:57 - 00129296 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-03-16 11:33 - 2014-03-16 11:32 - 00011499 _____ () C:\WINDOWS\KB2925418-IE8.log
2014-03-16 11:32 - 2014-03-16 11:32 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2923392$
2014-03-16 11:32 - 2014-03-12 13:47 - 00009663 _____ () C:\WINDOWS\KB2923392.log
2014-03-16 11:32 - 2014-03-12 13:46 - 00009179 _____ () C:\WINDOWS\KB2929961.log
2014-03-16 11:31 - 2014-03-16 11:31 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-03-16 11:31 - 2014-03-16 11:31 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-03-16 11:31 - 2014-03-12 13:46 - 00009870 _____ () C:\WINDOWS\KB2930275.log
 
Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\applnch.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\dom\Local Settings\Temp\applnch.exe
C:\Documents and Settings\dom\Local Settings\Temp\hmpalert_update.exe
C:\Documents and Settings\dom\Local Settings\Temp\install_flashplayer12x32ax_aaa_aih[1].exe
C:\Documents and Settings\dom\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\dom\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\dom\Local Settings\Temp\jre-7u51-windows-i586-iftw.exe
C:\Documents and Settings\dom\Local Settings\Temp\ntdll_dump.dll
C:\Documents and Settings\fsit.admin\Local Settings\Temp\mpegc.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\WINDOWS\explorer.exe
[2009-12-09 21:39] - [2007-02-17 15:03] - 1053184 ____A (Microsoft Corporation) A26C39540F8BE3729846E360E2C57344
 
C:\WINDOWS\system32\winlogon.exe
[2009-12-09 21:40] - [2007-02-17 15:04] - 0528384 ____A (Microsoft Corporation) B4AA8AE0F18E5DFCF99A671A181D3EDC
 
C:\WINDOWS\system32\svchost.exe
[2009-12-09 21:39] - [2007-02-17 15:04] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682
 
C:\WINDOWS\system32\services.exe
[2009-11-23 16:17] - [2009-02-03 12:07] - 0113152 ____A (Microsoft Corporation) CF500580CDD83B145646A4DCFCE1CF3C
 
C:\WINDOWS\system32\User32.dll
[2009-12-09 21:10] - [2007-03-02 07:38] - 0583680 ____A (Microsoft Corporation) 1959150096B010BA953A78B0D6B0B4E4
 
C:\WINDOWS\system32\userinit.exe
[2009-11-23 16:17] - [2007-02-17 15:04] - 0026112 ____A (Microsoft Corporation) B5FEB3B971A8B8C81CE9DE65031A87E5
 
C:\WINDOWS\system32\rpcss.dll
[2009-12-09 21:10] - [2009-02-09 12:02] - 0486912 ____A (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\WINDOWS\system32\Drivers\volsnap.sys
[2013-06-26 13:23] - [2012-08-21 13:54] - 0159232 ____A (Microsoft Corporation) B87BE539F8C1C16A0A80E57EC702408E
 
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
 
==================== End Of Log ============================


#7 dbitalia

dbitalia
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 11 April 2014 - 01:16 PM

Additon.txt log file attached

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:56 PM

Posted 12 April 2014 - 08:03 AM

will reply soon.

Edited by nasdaq, 12 April 2014 - 08:16 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:56 PM

Posted 12 April 2014 - 08:52 AM

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
  • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
  • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
  • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
  • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :filefind
    ntdll.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===
 

Could not list Restore Points. Check "winmgmt" service or repair WMI.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

Download this program to your desktop.
Tweaking.com - Windows Repair
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/


Extract and launch the Repair_Windows.exe file

Click on Start repairs tab-click on Start

check mark following options only.

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair MDAC & MS Jet
Remove Policies Set By Infections
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
Repair CD/DVD Missing/Not Working
  • Checkmark Restart System When Finished option
  • click the Start button
  • System should restart after repair
This is something that will have to look at.
 

C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users