Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log for analysis


  • This topic is locked This topic is locked
5 replies to this topic

#1 KaiserGuy

KaiserGuy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 03 August 2016 - 12:36 PM

We are getting a few thousand failed logins on our school's domain controller to generic account names like administrator, admin, dentrix, john, etc. However I cannot seem to identify the source for most of the attempts even after turning on failed login auditing. I'm suspicious that they are originating on the server itself. I've run scans with HerdProtect, MalwareBytes Anti-Malware, and Bitdefender. Next week when I'm onsite I'll reboot into safe mode and run Norton Power Eraser, McAfee Stinger, Malwarebyes Anti-Malware, and Herdprotect again. Until then, perhaps the community could review the HijackThis log and provide some insight.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:49 AM

Posted 08 August 2016 - 08:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Sorry for this long delay.

HijackThis is no longer supported.
I suggest your remove via the Control panel > Programs > Programs and Features Applet.
Use the Farbar tool suggested below from now on to report problems.
<<<>>>

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs for my review.

#3 KaiserGuy

KaiserGuy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 08 August 2016 - 11:16 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-08-2016
Ran by Administrator (administrator) on MSS-SERV (08-08-2016 12:07:10)
Running from C:\Users\Administrator\Downloads
Loaded Profiles: amandabackup & TreystaRMM & Administrator & MSSQL$MICROSOFT##WID (Available Profiles: lfolden & amandabackup & TreystaRMM & Administrator & MSSQL$MICROSOFT##WID & .NET v4.5 & .NET v4.5 Classic)
Platform: Windows Server 2012 Standard (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(SolarWinds N-Able) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService\BASupSrvcUpdater.exe
(Solarwinds N-able) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcUpdater.exe
(SolarWinds N-Able) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService\BASupSrvc.exe
(Solarwinds N-able) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_service.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Kurzweil Educational Systems, Inc.) C:\Program Files (x86)\Kurzweil Educational Systems\Kurzweil 3000 Network\Kurzweil 3000 Network Engine.exe
(SafeNet, Inc.) C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
(SafeNet, Inc) C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
(Microsoft Corporation) C:\Windows\System32\snmp.exe
(Microsoft Corporation) C:\Windows\System32\snmptrap.exe
(Microsoft Corporation) C:\Windows\WID\Binn\sqlwriter.exe
(Microsoft Corporation) C:\Windows\System32\WINS.EXE
(Microsoft Corporation) C:\Program Files\Update Services\Services\WsusService.exe
() C:\Program Files\Carbonite\Carbonite Server Backup(x64)\bin\ZCBService.exe
() C:\Program Files\Carbonite\Carbonite Server Backup(x64)\Database\bin\mysqld.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\WID\Binn\sqlservr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_comm_customer.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_system_customer.exe
() C:\Program Files\Carbonite\Carbonite Server Backup(x64)\bin\ZWCService.exe
(Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe
(GFI Software Development Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent\patchman\11\lnssatt.exe
(Managed Online Backup) C:\Program Files\Backup Manager\ProcessController.exe
(LogicNow Ltd) C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\ManagedAntivirus.exe
(OPSWAT, Inc.) C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\32bitProxy.exe
(Bitdefender) C:\Program Files\Managed Antivirus\Managed Antivirus Engine\Managed Antivirus\Managed Antivirus\EndpointService.exe
(Bitdefender) C:\Program Files\Managed Antivirus\Managed Antivirus Engine\Managed Antivirus\Managed Antivirus\UpdateService.exe
(Bitdefender) C:\Program Files\Common Files\Managed Antivirus\Endpoint Agent\epag.exe
(Bitdefender) C:\Program Files\Managed Antivirus\Managed Antivirus Engine\Managed Antivirus\Managed Antivirus\EndpointIntegration.exe
(Remote Monitoring) C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
() C:\Program Files (x86)\Advanced Monitoring Agent\FmPlugin\fmplugin.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(GFI Software Development Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent\patchman\11\mantle.exe
(LogicNow Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent\concentrator\concentrator.exe
(N-able Technologies Inc.) C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe
(N-able Technologies Inc.) C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\WSPMaint.exe
(N-able Technologies Inc.) C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\NableUpdateService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_user_customer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(Managed Online Backup) C:\Program Files\Backup Manager\BackupFP.exe
(LogicNow Ltd) C:\Program Files\Advanced Monitoring Agent Network Management\NetworkManagement.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
() C:\Program Files\Carbonite\Carbonite Server Backup(x64)\bin\CloudController.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [BrStsWnd] => C:\Program Files (x86)\Brownie\BrstsW64.exe [3697776 2012-06-21] (brother)
HKLM-x32\...\Run: [BASupSrvcCnfg] => C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService\BASupSrvcCnfg.exe [4845752 2015-10-14] (SolarWinds N-Able)
HKLM-x32\...\Run: [BASupSrvcCnfg_N-Central] => C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcCnfg.exe [4985128 2016-07-05] (Solarwinds N-able)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe [3219456 2016-07-30] (Malwarebytes)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_winlogonx64.dll (Citrix Systems, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
Lsa: [Notification Packages] scecli rassfm
SecurityProviders: credssp.dll, pwdssp.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Update Concourse.lnk [2015-03-07]
ShortcutTarget: Update Concourse.lnk -> C:\Book Systems, Inc\Concourse\ConcUpdt.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Update eZcat.lnk [2014-09-26]
ShortcutTarget: Update eZcat.lnk -> C:\Book Systems, Inc\eZcat\eZcUpdt.exe ()
BootExecute: autocheck autochk /q /v * 
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{684CA7D1-7D6B-4A2A-AC4A-C02DB87E90A0}: [NameServer] 192.168.4.34
 
Internet Explorer:
==================
HKU\S-1-5-21-3759757598-1360964531-964755638-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://sites.google.com/a/mothersetonschool.org/technology
URLSearchHook: [S-1-5-21-3759757598-1360964531-964755638-1620] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-3759757598-1360964531-964755638-1800] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534] ATTENTION => Default URLSearchHook is missing
IE Session Restore: HKU\S-1-5-21-3759757598-1360964531-964755638-500 -> is enabled.
 
FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9bq9eayc.default
FF DefaultSearchEngine.US: Google
FF Homepage: www.google.com
FF Plugin-x32: @vmware.com/vmrc,version=5.1.0.00000 -> C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.1\Firefox\np-vmware-vmrc.dll [2012-07-13] (VMware, Inc.)
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Advanced Monitoring Agent; C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe [8790016 2016-07-14] (Remote Monitoring) [File not signed]
R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [478720 2013-04-09] (Microsoft Corporation)
R2 Backup Service Controller; C:\Program Files\Backup Manager\ProcessController.exe [3461832 2016-05-30] (Managed Online Backup)
R2 BASupportExpressSrvcUpdater; C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService\BASupSrvcUpdater.exe [1091224 2015-10-14] (SolarWinds N-Able)
R2 BASupportExpressSrvcUpdater_N_Central; C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcUpdater.exe [1147144 2016-07-05] (Solarwinds N-able)
R2 BASupportExpressStandaloneService; C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService\BASupSrvc.exe [3670168 2015-10-14] (SolarWinds N-Able)
R2 BASupportExpressStandaloneService_N_Central; C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe [3813128 2016-07-05] (Solarwinds N-able)
R2 Dfs; C:\Windows\system32\dfssvc.exe [398848 2012-07-25] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [4724736 2012-07-25] (Microsoft Corporation)
R2 DHCPServer; C:\Windows\System32\dhcpssvc.dll [1110528 2013-12-30] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [1537536 2016-05-12] (Microsoft Corporation)
S3 DsRoleSvc; C:\Windows\system32\dsrolesrv.dll [388096 2012-07-25] (Microsoft Corporation)
R2 EndpointIntegration; C:\Program Files\Managed Antivirus\Managed Antivirus Engine\Managed Antivirus\Managed Antivirus\EndpointIntegration.exe [398480 2015-11-26] (Bitdefender)
R2 EndpointService; C:\Program Files\Managed Antivirus\Managed Antivirus Engine\Managed Antivirus\Managed Antivirus\EndpointService.exe [398480 2015-11-26] (Bitdefender)
R2 epag; C:\Program Files\Common Files\Managed Antivirus\Endpoint Agent\epag.exe [3749304 2016-02-11] (Bitdefender)
R2 gfi_lanss11_attservice; C:\Program Files (x86)\Advanced Monitoring Agent\patchman\11\lnssatt.exe [167024 2015-01-30] (GFI Software Development Ltd.)
R2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_service.exe [610528 2016-05-03] (Citrix Systems, Inc.)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [16384 2012-07-25] (Microsoft Corporation)
R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2012-07-25] (Microsoft Corporation)
R2 Kdc; C:\Windows\system32\kdcsvc.dll [473600 2015-06-20] (Microsoft Corporation)
S3 KdsSvc; C:\Windows\system32\KdsSvc.dll [36352 2012-07-25] (Microsoft Corporation)
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [171520 2012-07-25] (Microsoft Corporation)
R2 Kurzweil 3000 Network Engine; C:\Program Files (x86)\Kurzweil Educational Systems\Kurzweil 3000 Network\Kurzweil 3000 Network Engine.exe [360304 2011-11-09] (Kurzweil Educational Systems, Inc.)
R2 ManagedAntivirus; C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\ManagedAntivirus.exe [358040 2016-07-14] (LogicNow Ltd)
R2 MSSQL$MICROSOFT##WID; C:\Windows\WID\Binn\sqlservr.exe [191064 2012-06-02] (Microsoft Corporation)
R2 NablePatchRepositoryService; C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\NableUpdateService.exe [128440 2016-07-19] (N-able Technologies Inc.)
R2 NetworkManagement; C:\Program Files\Advanced Monitoring Agent Network Management\NetworkManagement.exe [272024 2016-08-02] (LogicNow Ltd)
R2 NTDS; C:\Windows\system32\ntdsa.dll [138240 2012-07-25] (Microsoft Corporation)
S4 NtFrs; C:\Windows\system32\ntfrs.exe [1001472 2012-07-25] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [95232 2012-07-25] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83456 2012-07-25] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [15872 2012-07-25] (Microsoft Corporation)
R2 SentinelKeysServer; C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [316992 2007-04-27] (SafeNet, Inc.)
R2 SentinelProtectionServer; C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe [206400 2007-04-27] (SafeNet, Inc)
R2 SNMP; C:\Windows\System32\snmp.exe [50688 2012-07-25] (Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [45056 2012-07-25] (Microsoft Corporation)
S3 SrmReports; C:\Windows\system32\srmhost.exe [140800 2012-07-25] (Microsoft Corporation)
R2 SrmSvc; C:\Windows\system32\srmsvc.dll [5951488 2013-06-01] (Microsoft Corporation)
R2 svcDrydock; C:\Program Files (x86)\Advanced Monitoring Agent\concentrator\concentrator.exe [2418176 2015-07-02] (LogicNow Ltd.) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [6886160 2015-12-14] (TeamViewer GmbH)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [241664 2014-09-13] (Microsoft Corporation)
R2 UpdateService; C:\Program Files\Managed Antivirus\Managed Antivirus Engine\Managed Antivirus\Managed Antivirus\UpdateService.exe [398480 2015-11-26] (Bitdefender)
R3 WIDWriter; C:\Windows\WID\Binn\sqlwriter.exe [129624 2012-06-02] (Microsoft Corporation)
S2 Windows Agent Maintenance Service; C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AgentMaint.exe [217528 2016-07-19] (N-able Technologies Inc.)
S2 Windows Agent Service; C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe [322488 2016-07-19] (N-able Technologies Inc.)
R2 Windows Software Probe Maintenance Service; C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\WSPMaint.exe [217528 2016-07-19] (N-able Technologies Inc.)
R2 Windows Software Probe Service; C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe [307128 2016-07-19] (N-able Technologies Inc.)
S3 Windows Software Probe Syslog Service; C:\Program Files (x86)\N-able Technologies\Windows Software Probe\syslog\nsyslog.exe [61440 2016-07-19] () [File not signed]
R2 WINS; C:\Windows\System32\wins.exe [275968 2012-07-25] (Microsoft Corporation)
S3 WSusCertServer; C:\Program Files\Update Services\Services\WSusCertServer.exe [64512 2012-07-25] (Microsoft Corporation)
R2 WsusService; C:\Program Files\Update Services\Services\WsusService.exe [17920 2012-07-26] (Microsoft Corporation)
R2 ZCBService; C:\Program Files\Carbonite\Carbonite Server Backup(x64)\bin\ZCBService.exe [33824 2014-04-03] ()
R2 ZWC-Database; C:\Program Files\Carbonite\Carbonite Server Backup(x64)\Database\bin\mysqld.exe [10353176 2014-04-03] ()
R2 ZWCService; C:\Program Files\Carbonite\Carbonite Server Backup(x64)\bin\ZWCService.exe [286240 2014-04-03] ()
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1622512 2016-01-22] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [806344 2016-01-22] (BitDefender)
S0 BDElam; C:\Windows\System32\drivers\bdelam.sys [23568 2013-09-08] (Bitdefender)
S0 bfad; C:\Windows\System32\drivers\bfad.sys [1963760 2012-07-26] (Brocade Communications Systems, Inc.)
S0 bfadfcoe; C:\Windows\System32\drivers\bfadfcoe.sys [1964272 2012-07-26] (Brocade Communications Systems, Inc.)
R2 BrPar; C:\Windows\System32\drivers\BrPar64a.sys [30528 2006-11-06] (Brother Industries Ltd.)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [186096 2012-07-26] (Broadcom Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [564976 2012-07-26] (Broadcom Corporation)
R0 Cbafilt; C:\Windows\System32\drivers\cbafilt.sys [45808 2012-07-26] (Microsoft Corporation)
R3 ChangeTracker; C:\Windows\System32\drivers\ChangeTracker.sys [27272 2016-05-30] (Windows ® Win 7 DDK provider)
R0 Datascrn; C:\Windows\System32\drivers\datascrn.sys [80624 2012-07-26] (Microsoft Corporation)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [55024 2012-07-26] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66800 2012-07-26] (Microsoft Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3265256 2012-09-20] (Broadcom Corporation)
U0 ebskn; C:\Windows\System32\drivers\qnjr.sys [79064 2016-07-30] (Malwarebytes)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [699632 2012-07-26] (Emulex)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [161592 2015-07-21] (BitDefender LLC)
S3 MsLbfoProvider; C:\Windows\system32\DRIVERS\MsLbfoProvider.sys [99840 2013-07-01] (Microsoft Corporation)
U0 ougd; C:\Windows\System32\drivers\ojppff.sys [79064 2016-07-30] (Malwarebytes)
R0 Quota; C:\Windows\System32\drivers\quota.sys [174832 2012-07-26] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [94448 2012-07-26] (Microsoft Corporation)
S3 smbdirect; C:\Windows\System32\DRIVERS\smbdirect.sys [131072 2014-02-26] (Microsoft Corporation)
R2 trufos; C:\Windows\System32\DRIVERS\trufos.sys [477272 2015-06-02] (BitDefender S.R.L.)
S3 WinNat; C:\Windows\System32\drivers\winnat.sys [109056 2013-06-28] (Microsoft Corporation)
S3 wtlmdrv; C:\Windows\System32\drivers\wtlmdrv.sys [31232 2012-07-25] (Microsoft Corporation)
S3 HWiNFO32; \??\C:\Windows\TEMP\HWiNFO64A.SYS [X]
S3 KAPFA; \??\C:\Windows\system32\drivers\KAPFA.SYS [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-08 12:07 - 2016-08-08 12:08 - 00018637 _____ C:\Users\Administrator\Downloads\FRST.txt
2016-08-08 12:05 - 2016-08-08 12:07 - 00000000 ____D C:\FRST
2016-08-08 12:05 - 2016-08-08 12:05 - 02393600 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
2016-08-08 11:54 - 2016-08-08 11:54 - 00003686 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160808135450
2016-08-08 09:54 - 2016-08-08 09:54 - 00003686 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160808115450
2016-08-08 07:54 - 2016-08-08 07:54 - 00003686 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160808095450
2016-08-08 05:54 - 2016-08-08 05:54 - 00003686 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160808075450
2016-08-08 03:54 - 2016-08-08 03:54 - 00003686 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160808055450
2016-08-08 01:54 - 2016-08-08 01:54 - 00003686 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160808035450
2016-08-07 23:54 - 2016-08-07 23:54 - 00003686 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160808015450
2016-08-07 21:54 - 2016-08-07 21:54 - 00003660 _____ C:\Windows\System32\Tasks\mss-serv+Test_20160807235448
2016-08-03 13:19 - 2016-08-03 13:19 - 00388608 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\HijackThis.exe
2016-07-30 15:42 - 2016-07-30 15:42 - 00079064 _____ (Malwarebytes) C:\Windows\system32\Drivers\ojppff.sys
2016-07-30 11:26 - 2016-07-30 11:26 - 00079064 _____ (Malwarebytes) C:\Windows\system32\Drivers\qnjr.sys
2016-07-29 20:00 - 2016-08-01 00:02 - 00014348 _____ C:\Users\Public\ConnectLog.txt
2016-07-29 18:38 - 2016-08-03 12:32 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-07-28 16:43 - 2016-07-28 16:43 - 00000087 _____ C:\Users\Administrator\AppData\Local\Temp\guninst.bat
2016-07-28 16:43 - 2006-06-07 05:30 - 00021019 _____ C:\Users\Administrator\AppData\Local\Temp\guninst.exe
2016-07-28 16:14 - 2016-07-28 16:50 - 00000000 ____D C:\Windows\system32\appmgmt
2016-07-28 16:13 - 2016-07-28 16:13 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\{D8F70D58-4629-46D9-AFD3-30C78C7AB1E2}
2016-07-28 15:29 - 2016-07-28 15:29 - 22851472 _____ (Malwarebytes ) C:\Users\Administrator\Downloads\mbam-setup-2.2.1.1043(1).exe
2016-07-28 15:22 - 2016-07-30 16:06 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-07-28 15:22 - 2016-07-30 15:43 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-07-28 15:22 - 2016-07-28 15:22 - 00001062 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-07-28 15:22 - 2016-07-28 15:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-07-28 15:22 - 2016-07-28 15:22 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-07-28 15:22 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-07-28 15:22 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-07-28 15:22 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-07-28 15:21 - 2016-07-28 15:21 - 22851472 _____ (Malwarebytes ) C:\Users\Administrator\Downloads\mbam-setup-2.2.1.1043.exe
2016-07-28 15:21 - 2016-07-28 15:21 - 02873112 _____ (Reason Company Software Inc.) C:\Users\Administrator\Downloads\herdProtectScan_Setup.exe
2016-07-28 15:21 - 2016-07-28 15:21 - 00001113 _____ C:\Users\Public\Desktop\herdProtect.lnk
2016-07-28 15:21 - 2016-07-28 15:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\herdProtect
2016-07-28 15:21 - 2016-07-28 15:21 - 00000000 ____D C:\Program Files\Reason
2016-07-28 12:26 - 2016-07-28 12:27 - 00025376 _____ C:\Users\Administrator\AppData\Local\Temp\tmp57EB.tmp
2016-07-28 12:26 - 2016-07-28 12:27 - 00001617 _____ C:\Users\Administrator\AppData\Local\Temp\tmp57DA.xml
2016-07-28 12:26 - 2016-07-28 12:26 - 00000000 _____ C:\Users\Administrator\AppData\Local\Temp\tmp57DA.tmp
2016-07-28 12:06 - 2016-07-28 12:06 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\TeamViewer
2016-07-28 12:00 - 2016-07-28 12:00 - 00000931 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11 Host.lnk
2016-07-28 11:59 - 2016-08-03 13:48 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-07-25 23:40 - 2016-07-25 23:44 - 00000000 ____D C:\Users\TreystaRMM\AppData\Local\Temp\{62ED7C1E-22BE-47D0-A95A-783FF6E33A6B}
2016-07-25 23:40 - 2016-07-25 23:44 - 00000000 ____D C:\Users\TreystaRMM\AppData\Local\Temp\{177E39C2-23D3-4FE5-889C-6B2E4A0C665B}
2016-07-25 01:56 - 2016-07-25 01:56 - 00000000 _____ C:\Users\amandabackup\AppData\Local\Temp\OpenMarkup1469426207357.log.lck
2016-07-21 17:19 - 2016-08-08 08:12 - 00101087 _____ C:\Users\TreystaRMM\AppData\Local\Temp\GenericFiles.xml
2016-07-19 09:52 - 2016-07-19 09:52 - 00245766 _____ C:\ProgramData\1468936146.bdinstall.bin
2016-07-19 09:49 - 2016-07-19 09:52 - 00000000 ____D C:\ProgramData\Managed Antivirus
2016-07-19 09:49 - 2016-07-19 09:49 - 00000000 ____D C:\Program Files\Common Files\Managed Antivirus
2016-07-19 09:49 - 2015-07-21 19:27 - 00161592 _____ (BitDefender LLC) C:\Windows\system32\Drivers\gzflt.sys
2016-07-19 09:49 - 2015-06-02 16:21 - 00477272 _____ (BitDefender S.R.L.) C:\Windows\system32\Drivers\trufos.sys
2016-07-19 09:44 - 2016-08-07 21:41 - 00000000 ____D C:\ProgramData\ManagedAntivirus
2016-07-19 09:44 - 2016-07-19 09:49 - 00000000 ____D C:\Program Files\Managed Antivirus
2016-07-19 09:43 - 2016-07-19 09:43 - 00423840 _____ C:\Windows\dd_vcredistMSI4979.txt
2016-07-19 09:43 - 2016-07-19 09:43 - 00012434 _____ C:\Windows\dd_vcredistUI4979.txt
2016-07-19 09:43 - 2016-07-19 09:43 - 00001851 _____ C:\Users\Public\Desktop\Backup Manager.lnk
2016-07-19 09:43 - 2016-07-19 09:43 - 00001827 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Backup Manager.lnk
2016-07-19 09:43 - 2016-07-19 09:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Managed Online Backup
2016-07-19 09:43 - 2016-07-19 09:43 - 00000000 ____D C:\ProgramData\Managed Online Backup
2016-07-19 09:43 - 2016-05-30 02:30 - 00027272 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\ChangeTracker.sys
2016-07-19 09:42 - 2016-07-19 09:49 - 00000000 ____D C:\Program Files\Backup Manager
2016-07-15 16:29 - 2016-08-08 06:20 - 00000000 ____D C:\Windows\Patches
2016-07-15 16:16 - 2016-08-08 12:08 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\1
2016-07-15 15:51 - 2016-08-08 11:53 - 00000000 ____D C:\ProgramData\AdvancedMonitoringAgentNetworkManagement
2016-07-15 15:51 - 2016-08-05 01:29 - 00000000 ____D C:\Program Files\Advanced Monitoring Agent Network Management
2016-07-15 15:50 - 2016-07-15 15:50 - 00000000 ____D C:\Windows\SysWOW64\System32
2016-07-15 15:50 - 2016-07-15 15:50 - 00000000 ____D C:\ProgramData\GFI
2016-07-15 15:47 - 2016-08-08 12:03 - 00000000 ____D C:\Program Files (x86)\Advanced Monitoring Agent
2016-07-15 15:47 - 2016-07-15 15:47 - 00001238 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Monitoring Agent.lnk
2016-07-15 15:47 - 2016-07-15 15:47 - 00000000 ____D C:\ProgramData\Package Cache
2016-07-15 15:46 - 2016-07-15 14:31 - 17057384 _____ C:\Users\Administrator\Desktop\AGENT_10_3_5.ZIP
2016-07-12 13:38 - 2016-07-01 12:27 - 06937952 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-07-12 13:38 - 2016-06-25 13:08 - 00304640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntprint.dll
2016-07-12 13:38 - 2016-06-25 11:56 - 00733696 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2016-07-12 13:38 - 2016-06-25 11:55 - 01043456 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2016-07-12 13:38 - 2016-06-25 11:55 - 00458240 _____ (Microsoft Corporation) C:\Windows\system32\puiobj.dll
2016-07-12 13:38 - 2016-06-25 11:55 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\ntprint.dll
2016-07-12 13:38 - 2016-06-22 21:27 - 00144896 _____ (Microsoft Corporation) C:\Windows\system32\tssdisai.dll
2016-07-12 13:38 - 2016-06-22 21:26 - 00126976 _____ (Microsoft Corporation) C:\Windows\system32\RDWebAI.dll
2016-07-12 13:38 - 2016-06-11 05:30 - 01770496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-07-12 13:38 - 2016-06-11 05:30 - 01168384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-07-12 13:38 - 2016-06-11 05:30 - 00518144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 14742528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 13782016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 02818048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 02086912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 00737280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 00718848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-07-12 13:38 - 2016-06-11 05:29 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-07-12 13:38 - 2016-06-11 05:28 - 00228352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-07-12 13:38 - 2016-06-11 00:48 - 02249216 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-07-12 13:38 - 2016-06-11 00:48 - 01388544 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-07-12 13:38 - 2016-06-11 00:48 - 00907776 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2016-07-12 13:38 - 2016-06-11 00:48 - 00588288 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 20136960 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 15442432 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 03927040 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 02682880 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 00949760 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 00856576 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 00603648 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-07-12 13:38 - 2016-06-11 00:47 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-07-12 13:38 - 2016-06-11 00:46 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-07-12 13:38 - 2016-06-11 00:46 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-07-12 13:38 - 2016-06-11 00:46 - 00281088 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-07-12 13:38 - 2016-06-10 19:17 - 04050432 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-07-12 13:38 - 2016-01-30 12:21 - 00162304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\puiapi.dll
2016-07-12 13:38 - 2016-01-30 11:37 - 00187392 _____ (Microsoft Corporation) C:\Windows\system32\puiapi.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-08 12:00 - 2014-09-16 10:21 - 00000508 _____ C:\Windows\Tasks\ShadowCopyVolume{789dce0b-8dae-11e2-93f1-000c292c76b9}.job
2016-08-08 11:47 - 2013-03-15 16:19 - 00000000 ____D C:\Windows\system32\dhcp
2016-08-07 22:09 - 2013-03-15 16:24 - 00000000 ____D C:\Windows\NTDS
2016-08-07 22:09 - 2013-03-15 16:19 - 00000000 ____D C:\Windows\system32\wins
2016-08-07 22:09 - 2012-07-26 04:04 - 00000000 ____D C:\Windows\system32\inetsrv
2016-07-30 15:42 - 2012-07-26 03:50 - 00000000 ____D C:\Windows\CbsTemp
2016-07-29 02:35 - 2013-09-07 19:19 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3759757598-1360964531-964755638-500
2016-07-29 01:03 - 2013-03-15 16:28 - 00009826 __RSH C:\ProgramData\ntuser.pol
2016-07-29 00:33 - 2015-09-21 10:56 - 00000000 ____D C:\Users\Administrator\Desktop\Phone System Admin
2016-07-28 16:51 - 2014-04-09 21:22 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\hsperfdata_administrator
2016-07-28 16:13 - 2012-07-26 01:37 - 00000000 ____D C:\Windows\Inf
2016-07-28 16:10 - 2016-03-09 13:35 - 00000000 ____D C:\ProgramData\Avg
2016-07-28 16:10 - 2016-03-09 13:34 - 00000000 ____D C:\ProgramData\MFAData
2016-07-28 15:28 - 2013-09-06 09:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-07-28 15:18 - 2016-05-03 23:48 - 00000000 ____D C:\ProgramData\GetSupportService_N-Central
2016-07-28 15:09 - 2014-04-09 21:22 - 00000000 ____D C:\ProgramData\Oracle
2016-07-28 12:11 - 2016-02-17 16:58 - 00000000 ____D C:\Users\Administrator\.oracle_jre_usage
2016-07-26 04:04 - 2016-02-29 11:43 - 00000000 ____D C:\Program Files (x86)\N-able Technologies
2016-07-26 04:04 - 2013-08-05 19:34 - 01177278 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-07-26 04:00 - 2016-02-26 13:06 - 00000000 ____D C:\Windows\Downloaded Installations
2016-07-25 23:43 - 2016-07-06 00:49 - 00000000 ____D C:\Users\TreystaRMM\AppData\Local\Temp\{7D198B6F-187F-4FED-B97A-E6214345E416}
2016-07-25 01:56 - 2014-04-09 21:24 - 00000000 ____D C:\Users\amandabackup\AppData\Local\Temp\hsperfdata_amandabackup
2016-07-21 15:37 - 2013-03-15 16:26 - 00007096 _____ C:\Windows\system32\config\netlogon.dnb
2016-07-21 15:37 - 2013-03-15 16:26 - 00002497 _____ C:\Windows\system32\config\netlogon.dns
2016-07-15 16:36 - 2014-09-17 20:48 - 00000000 ____D C:\Windows\rescache
2016-07-15 16:17 - 2012-07-26 03:21 - 01161766 _____ C:\Windows\system32\PerfStringBackup.INI
2016-07-15 16:11 - 2013-03-15 16:19 - 00000000 ____D C:\Windows\system32\dns
2016-07-15 16:11 - 2012-07-26 03:14 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-07-15 16:09 - 2012-07-26 01:37 - 00000000 ____D C:\Windows\servicing
2016-07-15 16:09 - 2012-07-26 01:26 - 00008192 ___SH C:\Windows\system32\config\BBI
2016-07-15 16:07 - 2015-04-17 16:43 - 00281624 _____ C:\Windows\system32\FNTCACHE.DAT
2016-07-15 15:56 - 2013-08-15 03:08 - 00000000 ____D C:\Windows\system32\MRT
2016-07-15 15:53 - 2013-03-14 11:34 - 144749672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-07-15 15:44 - 2013-10-02 21:01 - 00000034 _____ C:\Windows\SysWOW64\bd404cdn.dat
2016-07-15 15:44 - 2013-10-02 21:01 - 00000026 _____ C:\Windows\BRPP2KA.INI
 
==================== Files in the root of some directories =======
 
2013-08-28 20:29 - 2013-10-13 09:34 - 0000600 _____ () C:\Users\Administrator\AppData\Local\PUTTY.RND
2013-03-14 11:44 - 2016-07-29 20:06 - 0007620 _____ () C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
2016-07-19 09:52 - 2016-07-19 09:52 - 0245766 _____ () C:\ProgramData\1468936146.bdinstall.bin
 
Some files in TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\1\jre-8u101-windows-au.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-02 03:21
 
==================== End of FRST.txt ============================

Attached Files


Edited by KaiserGuy, 08 August 2016 - 11:31 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:49 AM

Posted 09 August 2016 - 08:19 AM

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.

Check this out. Otherwise the fix below will not create a Restore point.

Not sure is this is required in your server. This may be a false positive from the program we used.
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION

If this is set by a script from you then leave it alone. If not the Add the line to the fix below berore saving the Fixlist.txt file.
GroupPolicyScripts: Restriction <======= ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

URLSearchHook: [S-1-5-21-3759757598-1360964531-964755638-1620] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-3759757598-1360964531-964755638-1800] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534] ATTENTION => Default URLSearchHook is missing
U0 ebskn; C:\Windows\System32\drivers\qnjr.sys [79064 2016-07-30] (Malwarebytes)
U0 ougd; C:\Windows\System32\drivers\ojppff.sys [79064 2016-07-30] (Malwarebytes)
S3 HWiNFO32; \??\C:\Windows\TEMP\HWiNFO64A.SYS [X]
S3 KAPFA; \??\C:\Windows\system32\drivers\KAPFA.SYS [X]
AlternateDataStreams: C:\Users\Administrator\Downloads\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\Administrator\Downloads\herdProtectScan_Setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Administrator\Downloads\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\Administrator\Downloads\mbam-setup-2.2.1.1043(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Administrator\Downloads\mbam-setup-2.2.1.1043.exe:BDU [0]
C:\Windows\System32\drivers\qnjr.sys
C:\Windows\System32\drivers\ojppff.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:49 AM

Posted 15 August 2016 - 06:54 AM

Are you still with me?

#6 KaiserGuy

KaiserGuy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 15 August 2016 - 09:56 AM

Yes. Thank you for your help. I've applied your suggested fixes. I'm not sure exactly when this happened, but the logs are now indicating workstations that are generating failed login attempts. I am working on cleaning them up and will reply back with progress when they are addressed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users