Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with desktoplayer! Please, Help!


  • This topic is locked This topic is locked
4 replies to this topic

#1 Abizyan

Abizyan

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 April 2017 - 01:44 AM

  Good day!

 

 Recently I found a suspicious activity on my server. After checking I found some threats and tried to remove them. I was successful with everything (it seems to me) exept one. Desktoplayer.exe. Cannot remove it. What I've done to restrict its activity was changing networking settings (there's no access to internet now) and command promt was blocked.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-04-2017 01
Ran by administrator (administrator) on SERVER (19-04-2017 10:25:40)
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: administrator (Available Profiles: Sergey & facts & administrator)
Platform: Microsoft® Windows® Server 2003, Enterprise Edition Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> dfssvc.exe
Failed to access process -> dns.exe
Failed to access process -> inetinfo.exe
Failed to access process -> ismserv.exe
Failed to access process -> LMIGuardianSvc.exe
Failed to access process -> sqlservr.exe
Failed to access process -> IEXPLORE.EXE
Failed to access process -> ntfrs.exe
Failed to access process -> svchost.exe
Failed to access process -> tcpsvcs.exe
Failed to access process -> hamachi-2.exe
Failed to access process -> MBAMService.exe
Failed to access process -> mssearch.exe
Failed to access process -> sqlagent.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> dmadmin.exe
Failed to access process -> alg.exe
Failed to access process -> explorer.exe
Failed to access process -> UnlockerAssistant.exe
Failed to access process -> hamachi-2-ui.exe
Failed to access process -> LogMeInSystray.exe
Failed to access process -> mbamtray.exe
Failed to access process -> sqlmangr.exe
Failed to access process -> oobechk.exe
Failed to access process -> mshta.exe
Failed to access process -> LMIGuardianSvc.exe
Failed to access process -> FRST.exe
Failed to access process -> wmiprvse.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ShutdownEventCheck] => %systemroot%\system32\dumprep 0 -s
HKLM\...\Run: [UnlockerAssistant] => C:\Program Files\Unlocker\UnlockerAssistant.exe [311258 2017-04-13] ()
HKLM\...\Run: [LogMeIn Hamachi Ui] => C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe [5757934 2015-08-03] (LogMeIn Inc.)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [583150 2017-04-03] (LogMeIn, Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2958306 2017-01-20] (Malwarebytes)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...\Winlogon: [Userinit] userinit.exe,,c:\program files\microsoft\desktoplayer.exe
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll [2017-04-03] (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.eAttached File  Addition.txt   25.25KB   1 downloadsxe [71680 2005-11-30] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [71680 2005-11-30] (Microsoft Corporation)
HKU\S-1-5-21-4108714522-1483716228-370617395-500\...\MountPoints2: {d587f6a9-02cc-11e0-8a7d-00215af3e7b2} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-18\...\Policies\Explorer: [EditLevel] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoFileMenu] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoCommonGroups] 0
IFEO\Storm.exe: [Debugger] taskkill.exe
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli dsrestor
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk [2010-11-24]
ShortcutTarget: Service Manager.lnk -> C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [S-1-5-21-4108714522-1483716228-370617395-500] => Proxy is enabled.
ProxyServer: [S-1-5-21-4108714522-1483716228-370617395-500] => 192.168.14.1
AutoConfigURL: [S-1-5-21-4108714522-1483716228-370617395-500] => 192.168.14.1
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2007-02-17] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4108714522-1483716228-370617395-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ae/
HKU\S-1-5-21-4108714522-1483716228-370617395-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-4108714522-1483716228-370617395-500 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
SearchScopes: HKLM -> DefaultScope value is missing
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
 
FireFox:
========
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ALG; C:\WINDOWS\System32\alg.exe [101376 2007-02-17] (Microsoft Corporation) [File not signed]
S4 CiSvc; C:\WINDOWS\system32\cisvc.exe [34304 2007-02-17] (Microsoft Corporation) [File not signed]
S4 ClipSrv; C:\WINDOWS\system32\clipsrv.exe [59904 2005-11-30] (Microsoft Corporation) [File not signed]
S3 clr_optimization_v2.0.50727_32; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [244718 2005-09-23] (Microsoft Corporation) [File not signed]
R2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [252928 2007-02-17] (Microsoft Corporation) [File not signed]
R2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [109568 2005-11-30] (Microsoft Corporation) [File not signed]
R3 dmadmin; C:\WINDOWS\System32\dmadmin.exe [322560 2007-02-17] (Microsoft Corporation) [File not signed]
R2 DNS; C:\WINDOWS\System32\dns.exe [531456 2007-02-17] (Microsoft Corporation) [File not signed]
R2 Hamachi2Svc; C:\Program Files\LogMeIn Hamachi\hamachi-2.exe [2061796 2015-08-03] (LogMeIn Inc.) [File not signed]
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [102400 2007-02-18] (Microsoft Corporation) [File not signed]
S4 ImapiService; C:\WINDOWS\system32\imapi.exe [184832 2007-02-17] (Microsoft Corporation) [File not signed]
R2 IsmServ; C:\WINDOWS\System32\ismserv.exe [128512 2007-02-17] (Microsoft Corporation) [File not signed]
R2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2005-11-30] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [122368 2007-02-18] (Microsoft Corporation) [File not signed]
R2 LMIGuardianSvc; C:\Program Files\LogMeIn Hamachi\LMIGuardianSvc.exe [591834 2015-08-03] (LogMeIn, Inc.) [File not signed]
S4 LMIMaint; C:\Program Files\LogMeIn\x86\RaMaint.exe [562148 2017-04-03] (LogMeIn, Inc.) [File not signed]
S4 LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [571356 2010-11-08] (LogMeIn, Inc.) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3482086 2017-01-20] (Malwarebytes) [File not signed]
S4 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [61440 2007-02-17] (Microsoft Corporation) [File not signed]
R2 MSDTC; C:\WINDOWS\system32\msdtc.exe [62464 2007-02-17] (Microsoft Corporation) [File not signed]
S3 MSIServer; C:\WINDOWS\System32\msiexec.exe [169984 2007-02-17] (Microsoft Corporation) [File not signed]
R2 MSSEARCH; C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe [428022 2017-04-13] (Microsoft Corporation) [File not signed]
R2 MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [9418730 2005-05-04] (Microsoft Corporation) [File not signed]
S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [280558 2005-05-03] (Microsoft Corporation) [File not signed]
S4 NetDDE; C:\WINDOWS\system32\netdde.exe [137728 2007-02-17] (Microsoft Corporation) [File not signed]
S4 NetDDEdsdm; C:\WINDOWS\system32\netdde.exe [137728 2007-02-17] (Microsoft Corporation) [File not signed]
R2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [880128 2007-02-17] (Microsoft Corporation) [File not signed]
S4 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [152576 2007-02-17] (Microsoft Corporation) [File not signed]
S3 RpcLocator; C:\WINDOWS\system32\locator.exe [99328 2005-11-30] (Microsoft Corporation) [File not signed]
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [94720 2007-02-17] (Microsoft Corporation) [File not signed]
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2005-11-30] (Microsoft Corporation)
S3 SCardSvr; C:\WINDOWS\System32\SCardSvr.exe [117760 2007-02-17] (Microsoft Corporation) [File not signed]
R2 Spooler; C:\WINDOWS\system32\spoolsv.exe [145920 2007-02-17] (Microsoft Corporation) [File not signed]
R2 SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe [591836 2005-05-03] (Microsoft Corporation) [File not signed]
S3 SrmReports; C:\WINDOWS\system32\srmhost.exe [216552 2007-02-18] (Microsoft Corporation) [File not signed]
R2 SrmSvc; C:\WINDOWS\system32\srmsvc.dll [1593344 2007-02-18] (Microsoft Corporation)
S2 SysmonLog; C:\WINDOWS\system32\smlogsvc.exe [123904 2007-02-17] (Microsoft Corporation) [File not signed]
S2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5604842 2014-12-15] (TeamViewer GmbH) [File not signed]
S4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [103424 2007-02-17] (Microsoft Corporation) [File not signed]
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2005-11-30] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [98816 2007-02-17] (Microsoft Corporation) [File not signed]
S3 UMWdf; C:\WINDOWS\system32\wdfmgr.exe [67072 2007-02-17] (Microsoft Corporation) [File not signed]
S3 UPS; C:\WINDOWS\System32\ups.exe [44544 2005-11-30] (Microsoft Corporation) [File not signed]
S3 vds; C:\WINDOWS\System32\vds.exe [380416 2007-02-17] (Microsoft Corporation) [File not signed]
S3 VSS; C:\WINDOWS\System32\vssvc.exe [863744 2007-02-17] (Microsoft Corporation) [File not signed]
S4 WinRPC10; C:\WINDOWS\System32\WRPC\WRPCServer.exe [793062 2009-02-12] (WinSoftMagic) [File not signed]
S3 WmiApSrv; C:\WINDOWS\system32\wbem\wmiapsrv.exe [155136 2007-02-17] (Microsoft Corporation) [File not signed]
S4 23423623; C:\WINDOWS\Terms.EXE [X]
S2 AudioSrv; C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\ghghy.cc3 [X]
S4 cxzcxzczxcxzcz; C:\WINDOWS\Terms.EXE [X]
S4 DdsactX jrq; C:\WINDOWS\system32\sj0.exe [X]
S4 Local Authorieh; C:\WINDOWS\Panthes\lsass.exe [X]
S4 Microsoft; C:\WINDOWS\Debug\ww\mscorsvw.exe [X]
S4 NOD32krn; "C:\Program Files\Eset\nod32krn.exe" [X]
S4 PC-BJ5.0 ; C:\WINDOWS\google.exe [X]
S4 Rsxtkp axirkvlk; C:\Program Files\Microsoft Qrbiox\Qqaeequ.pif [X]
S4 SuperProServer; C:\WINDOWS\svchost.exe [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
S4 wk; C:\WINDOWS\Debug\wk\mscorsvw.exe [X]
S4 Wsqxwc hgjplaic; C:\Program Files\Microsoft Iwmdfq\Thxoqbp.exe [X]
S4 xWinWpdSrv; c:\windows\system\msinfo.exe -s -syn 1000 [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AMON; C:\WINDOWS\system32\drivers\amon.sys [512096 2014-03-11] (Eset )
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)
R3 CpqCiDrv; C:\WINDOWS\System32\DRIVERS\cpqcidrv.sys [42024 2009-05-11] (Hewlett-Packard Company)
R0 Datascrn; C:\WINDOWS\System32\DRIVERS\datascrn.sys [48640 2007-02-18] (Microsoft Corporation)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)
R3 hamachi; C:\WINDOWS\System32\DRIVERS\hamachi.sys [26176 2010-02-03] (LogMeIn, Inc.)
R0 HpCISSs2; C:\WINDOWS\System32\drivers\HpCISSs2.sys [38400 2006-02-13] (Hewlett-Packard Company)
R3 l2nd; C:\WINDOWS\System32\DRIVERS\bxnd52x.sys [66600 2010-04-30] (Broadcom Corporation)
R2 LMIInfo; C:\WINDOWS\system32\drivers\LMIInfo.sys [13624 2015-06-15] (LogMeIn, Inc.)
S3 NPF; C:\WINDOWS\System32\drivers\NPF.sys [36600 2017-04-06] (Riverbed Technology, Inc.)
S3 PSKMAD; C:\WINDOWS\System32\DRIVERS\PSKMAD.sys [50320 2015-01-29] (Panda Security, S.L.)
R0 Quota; C:\WINDOWS\System32\DRIVERS\quota.sys [88064 2007-02-18] (Microsoft Corporation)
S3 utmynde3; C:\WINDOWS\system32\Drivers\utmynde3.sys [7168 2017-04-18] () [File not signed]
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-17] (Microsoft Corporation)
S4 adpu320; no ImagePath
S4 afcnt; no ImagePath
S4 AmdIde; no ImagePath
S4 arc; no ImagePath
S4 cpqarry2; no ImagePath
S4 cpqcissm; no ImagePath
S4 cpqfcalm; no ImagePath
S4 dellcerc; no ImagePath
S4 elxstor; no ImagePath
S4 hpcisss; no ImagePath
S4 hpt3xx; no ImagePath
S4 iirsp; no ImagePath
S4 IntelIde; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; no ImagePath
U3 LicenseInfo; no ImagePath
S4 LMIRfsClientNP; no ImagePath
S4 lp6nds35; no ImagePath
S4 nfrd960; no ImagePath
S4 ql2100; no ImagePath
S4 ql2200; no ImagePath
S4 ql2300; no ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)
S4 startdss; system32\drivers\startdss.sys [X]
S4 symmpi; no ImagePath
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
U1 WS2IFSL; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVC: WmdmPmSNjfyullk -> no filepath.
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-19 10:25 - 2017-04-19 10:25 - 00016071 _____ C:\Documents and Settings\Administrator\Desktop\FRST.txt
2017-04-19 10:25 - 2017-04-19 10:24 - 01794560 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2017-04-19 10:11 - 2017-04-19 10:12 - 00000600 _____ C:\Documents and Settings\Sergey\Desktop\FRST.txt
2017-04-19 10:10 - 2017-04-19 10:11 - 00264666 _____ (SOFTWIN S.R.L.) C:\Documents and Settings\Sergey\Desktop\FRSTSrv.exe
2017-04-19 10:10 - 2017-04-17 07:30 - 02060260 _____ (Farbar) C:\Documents and Settings\Sergey\Desktop\FRST.exe
2017-04-18 16:46 - 2017-04-18 16:46 - 00000000 ____D C:\Documents and Settings\Sergey\Application Data\WinRAR
2017-04-18 16:45 - 2017-04-18 16:45 - 00000000 ____D C:\Documents and Settings\Sergey\Desktop\AutoLogger2
2017-04-18 13:46 - 2017-04-18 13:46 - 00065536 _____ C:\WINDOWS\Minidump\Mini041817-03.dmp
2017-04-18 13:25 - 2017-04-18 13:25 - 00065536 _____ C:\WINDOWS\Minidump\Mini041817-02.dmp
2017-04-18 13:05 - 2017-04-18 13:25 - 00000000 ____D C:\WINDOWS\Minidump
2017-04-18 13:05 - 2017-04-18 13:05 - 00065536 _____ C:\WINDOWS\Minidump\Mini041817-01.dmp
2017-04-18 12:02 - 2017-04-18 12:02 - 00000000 ____D C:\Program Files\Panda Security
2017-04-18 12:02 - 2015-09-14 13:03 - 00038520 _____ C:\WINDOWS\system32\Drivers\DasPtct.SYS
2017-04-18 12:02 - 2015-01-29 18:21 - 00050320 _____ (Panda Security, S.L.) C:\WINDOWS\system32\Drivers\PSKMAD.sys
2017-04-18 11:40 - 2017-04-18 11:40 - 00264670 _____ (SOFTWIN S.R.L.) C:\WINDOWS\system32\mobsyncSrv.exe
2017-04-18 11:40 - 2017-04-18 11:40 - 00000805 _____ C:\Documents and Settings\Default User\Start Menu\Programs\Internet Explorer.lnk
2017-04-18 10:07 - 2017-04-18 10:07 - 00000000 ____D C:\WINDOWS\system32\netmon
2017-04-17 06:45 - 2017-04-19 10:11 - 00000000 ____D C:\FRST
2017-04-15 15:47 - 2017-04-15 15:47 - 00027225 _____ C:\Documents and Settings\Administrator\Desktop\mbam_log.txt
2017-04-15 14:29 - 2017-04-18 16:35 - 00220088 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-04-15 14:29 - 2017-04-15 14:29 - 00000000 ____D C:\Program Files\Malwarebytes
2017-04-15 14:29 - 2017-04-15 14:29 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes
2017-04-15 14:29 - 2017-03-22 11:02 - 00059904 _____ C:\WINDOWS\system32\Drivers\mbae.sys
2017-04-15 11:41 - 2017-04-18 17:08 - 00007168 _____ C:\WINDOWS\system32\Drivers\utmynde3.sys
2017-04-13 18:49 - 2017-04-13 18:49 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2017-04-13 18:44 - 2017-04-13 18:44 - 00000805 _____ C:\Documents and Settings\Sergey\Start Menu\Programs\Internet Explorer.lnk
2017-04-13 18:20 - 2017-04-13 18:20 - 00021576 _____ C:\Documents and Settings\Sergey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2017-04-13 18:20 - 2017-04-13 18:20 - 00000000 ____D C:\Documents and Settings\Sergey\Local Settings\Application Data\AvgSetupLog
2017-04-13 18:20 - 2017-04-13 18:20 - 00000000 ____D C:\Documents and Settings\Sergey\Local Settings\Application Data\Avg
2017-04-13 18:20 - 2017-04-13 18:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Avg
2017-04-13 18:12 - 2017-04-19 10:12 - 00000178 ___SH C:\Documents and Settings\Sergey\ntuser.ini
2017-04-13 18:12 - 2017-04-19 10:11 - 00000000 ____D C:\Documents and Settings\Sergey\Local Settings\Temp
2017-04-13 18:12 - 2017-04-19 09:47 - 00000000 ____D C:\Documents and Settings\Sergey\Local Settings\Application Data\LogMeIn Hamachi
2017-04-13 18:12 - 2017-04-13 18:44 - 00000776 _____ C:\Documents and Settings\Sergey\Start Menu\Programs\Outlook Express.lnk
2017-04-13 18:12 - 2017-04-13 18:44 - 00000000 ___RD C:\Documents and Settings\Sergey\My Documents
2017-04-13 18:12 - 2017-04-13 18:12 - 00000000 ____D C:\Documents and Settings\Sergey
2017-04-13 18:12 - 2017-04-13 15:20 - 00000000 ____D C:\Documents and Settings\Sergey\Local Settings\Application Data\LogMeIn
2017-04-13 18:12 - 2017-04-13 15:00 - 00000000 ____H C:\Documents and Settings\Sergey\My Documents\Default.rdp
2017-04-13 18:12 - 2011-02-09 17:45 - 00000000 ____D C:\Documents and Settings\Sergey\Local Settings\Application Data\ESET
2017-04-13 18:12 - 2010-11-21 22:29 - 00001599 _____ C:\Documents and Settings\Sergey\Start Menu\Programs\Remote Assistance.lnk
2017-04-13 17:12 - 2017-04-13 17:12 - 00000050 _____ C:\Documents and Settings\Administrator\Desktop\New Text Document (2).txt
2017-04-13 17:03 - 2017-04-18 13:52 - 01128800 _____ C:\WINDOWS\ntbtlog.txt
2017-04-13 15:20 - 2017-04-13 15:20 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\Application Data\LogMeIn
2017-04-13 15:00 - 2017-04-13 15:00 - 00000776 _____ C:\Documents and Settings\Default User\Start Menu\Programs\Outlook Express.lnk
2017-04-13 15:00 - 2017-04-13 15:00 - 00000000 ____H C:\Documents and Settings\Default User\My Documents\Default.rdp
2017-04-13 14:55 - 2017-04-19 09:39 - 00005600 _____ C:\WINDOWS\system32\PerfStringBackup.TMP
2017-04-13 14:52 - 2017-04-13 14:52 - 00010304 _____ C:\WINDOWS\system32\wpd.dat
2017-04-13 14:50 - 2017-04-18 09:50 - 00002184 _____ C:\WINDOWS\system32\wpa.dbl
2017-04-13 13:47 - 2017-04-15 11:05 - 00000000 ____D C:\Program Files\Unlocker
2017-04-13 13:47 - 2017-04-13 13:47 - 00000000 ____D C:\Documents and Settings\Administrator\Start Menu\Programs\Unlocker
2017-04-13 13:24 - 2017-04-13 13:41 - 00000000 ____D C:\WINDOWS\pss
2017-04-10 15:11 - 2017-04-13 14:46 - 00000000 ____D C:\Program Files\Prolifid
2017-04-10 01:52 - 2017-04-13 14:48 - 00000000 ____D C:\Program Files\Microsoft Iwmdfq
2017-04-06 05:19 - 2017-04-06 05:19 - 00282360 ____N (Riverbed Technology, Inc.) C:\WINDOWS\system32\wpcap.dll
2017-04-06 05:19 - 2017-04-06 05:19 - 00102136 ____N (Riverbed Technology, Inc.) C:\WINDOWS\system32\packet.dll
2017-04-06 05:19 - 2017-04-06 05:19 - 00036600 _____ (Riverbed Technology, Inc.) C:\WINDOWS\system32\Drivers\npf.sys
2017-04-04 05:18 - 2017-04-04 05:18 - 00000000 __SHD C:\download
2017-04-04 03:23 - 2017-04-04 03:23 - 00000067 _____ C:\Documents and Settings\onfm.dat
2017-04-04 01:08 - 2007-02-17 13:02 - 00251882 _____ (Microsoft Corporation) C:\WINDOWS\system32\spp.exe
2017-04-04 01:08 - 2007-02-17 12:23 - 00229346 _____ (Microsoft Corporation) C:\WINDOWS\system32\60hack.exe
2017-04-04 01:07 - 2007-02-17 13:02 - 00251872 _____ (Microsoft Corporation) C:\WINDOWS\system32\fpp.exe
2017-04-04 01:07 - 2007-02-17 12:23 - 00229358 _____ (Microsoft Corporation) C:\WINDOWS\system32\cpp.exe
2017-04-03 15:13 - 2017-04-03 15:13 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\PuTTY
2017-04-03 10:14 - 2015-06-15 08:14 - 00013624 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\Drivers\LMIInfo.sys
2017-04-02 17:25 - 2002-12-17 17:23 - 00033340 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbmsqlgc.dll
2017-04-02 17:25 - 2002-10-20 15:05 - 00024576 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbmsgnet.dll
2017-04-02 17:22 - 2004-11-29 12:06 - 01047552 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfc71u.dll
2017-04-02 17:22 - 2004-11-29 12:06 - 00499712 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcp71.dll
2017-04-02 17:22 - 2004-11-29 12:06 - 00348160 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcr71.dll
2017-04-02 17:22 - 2004-11-29 12:05 - 01060864 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfc71.dll
2017-04-02 17:22 - 2004-11-29 12:05 - 00089088 _____ (Microsoft Corporation) C:\WINDOWS\system32\atl71.dll
2017-04-02 17:21 - 2017-04-02 17:21 - 00000000 ____D C:\SQL2KSP4
2017-03-22 15:57 - 2017-03-22 15:57 - 00000956 ____N C:\Documents and Settings\Administrator\Desktop\Shortcut to sublime_text.exe.lnk
2017-03-21 12:00 - 2017-03-21 12:00 - 00000000 ____D C:\WINDOWS\system32\Cache
2017-03-21 12:00 - 2017-03-21 12:00 - 00000000 ____D C:\WINDOWS\IIS Temporary Compressed Files
2017-03-21 12:00 - 2007-02-18 16:00 - 02663424 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\nntpsnap.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 02086400 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\smtpsnap.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 01133056 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iiscfg.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 01058304 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetmgr.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00388096 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\asp.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00349696 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3core.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00297984 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\certwiz.ocx
2017-03-21 12:00 - 2007-02-18 16:00 - 00291328 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\adsiis.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00241664 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\httpext.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00235520 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\infocomm.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00234496 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\metadata.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00219136 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\seo.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00217088 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisui.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00216576 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisw3adm.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00194560 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iiswmi.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00187392 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\nntpadm.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00179200 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\smtpadm.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00167936 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisutil.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00151552 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\acwebsvc.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00141824 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisrtl.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00141824 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisRtl.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00127488 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ftpsvc2.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00122880 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisres.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00114176 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\uihelper.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00102400 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\certmap.ocx
2017-03-21 12:00 - 2007-02-18 16:00 - 00092672 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3ext.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00090624 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\convlog.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00090624 _____ (Microsoft Corporation) C:\WINDOWS\system32\convlog.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00082944 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisext.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00082432 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\certobj.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00077824 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\cnfgprts.ocx
2017-03-21 12:00 - 2007-02-18 16:00 - 00076288 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iislog.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00068608 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisuiobj.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00067584 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\logui.ocx
2017-03-21 12:00 - 2007-02-18 16:00 - 00064000 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\coadmin.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00062976 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisclex4.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00062464 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3isapi.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00061440 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\nextlink.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00060121 ____C C:\WINDOWS\system32\dllcache\iisftp.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00060121 _____ C:\WINDOWS\system32\IIsFtp.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00059904 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iismap.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\system32\iismap.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00058880 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\adrot.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00055808 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wamreg.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00055808 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisrstas.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00054784 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\davcdata.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00053256 ____N C:\WINDOWS\system32\appsrv.msc
2017-03-21 12:00 - 2007-02-18 16:00 - 00052736 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\isatq.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00052093 ____C C:\WINDOWS\system32\dllcache\iiscnfg.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00052093 _____ C:\WINDOWS\system32\IIsCnfg.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00050900 ____C C:\WINDOWS\system32\dllcache\iisweb.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00050900 _____ C:\WINDOWS\system32\iisweb.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00050666 ____N C:\WINDOWS\system32\w3ctrs.ini
2017-03-21 12:00 - 2007-02-18 16:00 - 00048640 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\httpodbc.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00048128 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\admwprox.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00048128 _____ (Microsoft Corporation) C:\WINDOWS\system32\admwprox.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00047104 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetmgr.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00047104 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\browscap.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00044544 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\svcext.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00043520 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisreset.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisreset.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00041984 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetinfo.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00039424 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3dt.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00039103 ____C C:\WINDOWS\system32\dllcache\iisschlp.wsc
2017-03-21 12:00 - 2007-02-18 16:00 - 00039103 _____ C:\WINDOWS\system32\IIsScHlp.wsc
2017-03-21 12:00 - 2007-02-18 16:00 - 00035074 ____C C:\WINDOWS\system32\dllcache\iisback.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00035074 _____ C:\WINDOWS\system32\iisback.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00034816 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3wp.exe
2017-03-21 12:00 - 2007-02-18 16:00 - 00034604 ____C C:\WINDOWS\system32\dllcache\iisvdir.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00034604 _____ C:\WINDOWS\system32\iisvdir.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00034518 ____C C:\WINDOWS\system32\dllcache\iisext.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00034518 _____ C:\WINDOWS\system32\iisext.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00033792 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\controt.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00032887 ____C C:\WINDOWS\system32\dllcache\iisftpdr.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00032887 _____ C:\WINDOWS\system32\IIsFtpdr.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00029184 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iispwchg.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00025600 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\logscrpt.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00025600 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\gzip.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00024064 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3ctrs.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00024064 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ssinc.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00023040 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wam.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00021504 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisadmin.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00021504 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\aspperf.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\aspperf.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00019456 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3cache.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00019456 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iscomlog.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00018944 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\httpmib.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00015360 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlauth.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00014848 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\exstrace.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00014848 _____ (Microsoft Corporation) C:\WINDOWS\system32\exstrace.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00014336 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\nntpapi.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\system32\nntpapi.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00013877 ____C C:\WINDOWS\system32\dllcache\iisapp.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00013877 _____ C:\WINDOWS\system32\iisapp.vbs
2017-03-21 12:00 - 2007-02-18 16:00 - 00013312 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3tp.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00013312 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\lonsint.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00012800 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\infoadmn.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00012800 _____ (Microsoft Corporation) C:\WINDOWS\system32\infoadmn.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00012288 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\smtpapi.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00012288 _____ (Microsoft Corporation) C:\WINDOWS\system32\smtpapi.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00011435 ____N C:\WINDOWS\system32\infoctrs.ini
2017-03-21 12:00 - 2007-02-18 16:00 - 00010793 ____N C:\WINDOWS\system32\axperf.ini
2017-03-21 12:00 - 2007-02-18 16:00 - 00010752 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3comlog.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00010240 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\rwnh.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00010240 _____ (Microsoft Corporation) C:\WINDOWS\system32\rwnh.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00008704 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\staxmem.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00008704 _____ (Microsoft Corporation) C:\WINDOWS\system32\staxmem.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00008537 ____N C:\WINDOWS\system32\w3ctrs.h
2017-03-21 12:00 - 2007-02-18 16:00 - 00008192 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\isapips.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00008192 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\infoctrs.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00008192 _____ (Microsoft Corporation) C:\WINDOWS\system32\infoctrs.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00007680 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ftpctrs2.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00007168 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wamregps.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\wamregps.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00006656 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wamps.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00006656 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\davcprox.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00006144 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\w3ctrlps.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00006144 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ftpmib.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00005632 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iisrstap.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00005632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisrstap.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00004096 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\rpcref.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00003276 ____N C:\WINDOWS\system32\infoctrs.h
2017-03-21 12:00 - 2007-02-18 16:00 - 00003072 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iismui.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00003072 _____ (Microsoft Corporation) C:\WINDOWS\system32\iismui.dll
2017-03-21 12:00 - 2007-02-18 16:00 - 00002114 ____N C:\WINDOWS\system32\axctrnm.h
2017-03-21 12:00 - 2003-02-21 18:48 - 00009709 ____C C:\WINDOWS\system32\dllcache\IIS_iis_switch.vbs
2017-03-21 12:00 - 2003-02-21 18:48 - 00001849 ____C C:\WINDOWS\system32\dllcache\IIS_clusftp.vbs
2017-03-21 12:00 - 2003-02-21 18:48 - 00001844 ____C C:\WINDOWS\system32\dllcache\IIS_clusweb.vbs
2017-03-21 11:06 - 2017-04-13 15:00 - 00000000 ____D C:\Inetpub
2017-03-21 11:06 - 2017-03-21 11:06 - 00000000 ____D C:\ADFS
2017-03-21 10:58 - 2017-04-13 17:21 - 00000000 ____D C:\xampp
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-19 10:25 - 2010-11-21 22:36 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2017-04-19 10:13 - 2011-05-29 11:36 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\LogMeIn Hamachi
2017-04-19 10:13 - 2011-05-29 11:35 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\Application Data\LogMeIn Hamachi
2017-04-19 09:35 - 2010-11-22 02:12 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2017-04-19 09:35 - 2010-11-22 02:12 - 00000000 ____D C:\WINDOWS\system32\dhcp
2017-04-19 09:35 - 2010-11-21 23:40 - 00002824 _____ C:\WINDOWS\system32\config\netlogon.dnb
2017-04-19 09:35 - 2010-11-21 23:40 - 00002683 _____ C:\WINDOWS\system32\config\netlogon.dns
2017-04-19 09:35 - 2010-11-21 23:39 - 00065536 _____ C:\WINDOWS\NETLOGON.CHG
2017-04-19 09:34 - 2010-11-21 22:34 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-19 09:33 - 2010-11-21 23:35 - 00000000 ____D C:\WINDOWS\ntds
2017-04-19 09:31 - 2010-11-21 23:35 - 00524288 _____ C:\WINDOWS\system32\config\NTDS.Evt
2017-04-19 09:31 - 2010-11-21 23:35 - 00196608 _____ C:\WINDOWS\system32\config\NtFrs.Evt
2017-04-19 09:31 - 2010-11-21 23:35 - 00196608 _____ C:\WINDOWS\system32\config\DnsEvent.Evt
2017-04-19 08:42 - 2010-11-22 02:12 - 00000000 ____D C:\WINDOWS\security
2017-04-18 21:06 - 2010-12-01 16:07 - 00000786 _____ C:\WINDOWS\Tasks\Server Daily.job
2017-04-18 13:51 - 2010-11-21 22:36 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2017-04-18 13:46 - 2010-11-22 02:12 - 144871424 _____ C:\WINDOWS\MEMORY.DMP
2017-04-18 12:24 - 2010-11-22 02:12 - 00000000 ____D C:\WINDOWS\system
2017-04-18 12:02 - 2010-11-22 00:09 - 00022352 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2017-04-18 11:40 - 2010-11-22 02:20 - 00000000 ___RD C:\Documents and Settings\Default User\My Documents
2017-04-16 14:28 - 2010-11-22 02:12 - 00000000 RSHDC C:\WINDOWS\system32\dllcache
2017-04-16 14:28 - 2010-11-21 22:26 - 00000000 ____D C:\WINDOWS\system32\Com
2017-04-15 14:29 - 2012-09-30 15:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2017-04-15 12:26 - 2010-11-22 02:20 - 00142032 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-04-15 11:48 - 2017-02-23 15:55 - 00000000 ____D C:\AdwCleaner
2017-04-15 11:14 - 2010-11-21 22:28 - 00000000 ____D C:\Program Files\Outlook Express
2017-04-15 10:52 - 2010-11-21 22:34 - 00032618 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2017-04-13 18:44 - 2010-11-21 22:29 - 00001868 _____ C:\WINDOWS\OEWABLog.txt
2017-04-13 18:34 - 2017-03-12 11:20 - 00000757 _____ C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Control Panel.lnk
2017-04-13 18:12 - 2010-11-22 02:20 - 00000000 ____D C:\Documents and Settings
2017-04-13 17:50 - 2010-11-24 14:41 - 00000000 ____D C:\Documents and Settings\Administrator\temp
2017-04-13 15:20 - 2011-05-17 11:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\LogMeIn
2017-04-13 15:17 - 2014-03-11 17:15 - 00000000 ____D C:\Program Files\Google
2017-04-13 15:16 - 2014-03-11 17:15 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2017-04-13 15:15 - 2005-11-30 15:00 - 00000566 _____ C:\WINDOWS\win.ini
2017-04-13 15:15 - 2005-11-30 15:00 - 00000284 _____ C:\WINDOWS\system.ini
2017-04-13 13:42 - 2010-11-21 22:36 - 00000000 ____D C:\Documents and Settings\Administrator
2017-04-13 11:07 - 2014-09-23 10:58 - 00001691 _____ C:\Documents and Settings\Administrator\Desktop\DHCP.lnk
2017-04-10 14:43 - 2014-06-07 08:56 - 00000000 ____D C:\Documents and Settings\facts\Local Settings\Application Data\LogMeIn Hamachi
2017-04-10 12:43 - 2010-11-24 10:41 - 00000764 _____ C:\WINDOWS\ODBC.INI
2017-04-04 03:24 - 2010-11-22 02:12 - 00000000 ____D C:\WINDOWS\system32\ias
2017-04-03 10:14 - 2011-05-24 11:49 - 00096736 ____N (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2017-04-03 10:14 - 2011-05-18 16:58 - 00102912 ____N (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2017-04-03 10:14 - 2011-05-17 11:20 - 00000000 ____D C:\Program Files\LogMeIn
2017-04-02 17:29 - 2014-06-07 08:56 - 00000178 ___SH C:\Documents and Settings\facts\ntuser.ini
2017-04-02 17:29 - 2010-11-24 10:23 - 00001806 _____ C:\WINDOWS\sql.mif
2017-04-02 17:29 - 2010-11-24 10:21 - 00001432 _____ C:\WINDOWS\setup.iss
2017-04-02 17:28 - 2010-11-21 22:26 - 00000000 ____D C:\WINDOWS\Cluster
2017-04-02 17:25 - 2010-11-22 02:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2017-04-02 16:53 - 2010-11-22 02:12 - 00000000 ____D C:\WINDOWS\repair
2017-04-02 16:50 - 2010-12-01 16:01 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2017-04-01 10:14 - 2014-06-07 08:56 - 00000000 ____D C:\Documents and Settings\facts\Local Settings\Temp
2017-03-21 12:01 - 2010-11-22 02:20 - 00012677 ____N C:\WINDOWS\imsins.BAK
2017-03-21 12:01 - 2010-11-21 22:27 - 00000000 ____D C:\WINDOWS\Registration
2017-03-21 12:00 - 2010-11-22 02:12 - 00000000 ____D C:\WINDOWS\Help
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe
[2007-02-17 12:58] - [2007-02-17 12:58] - 1080832 ____A (Microsoft Corporation) 253BB175E835B05146D53FCB89D27474
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe
[2007-02-17 14:04] - [2007-02-17 14:04] - 0042496 ____A (Microsoft Corporation) 59B9820F4A716E4D3E7CC10BD471EE86
 
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe
[2007-02-17 14:07] - [2007-02-17 14:07] - 0177664 ____A (Microsoft Corporation) EA9EB12CD2966DA97E2985381B2AE4C6
 
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION
 
 
ATTENTION: ==> Could not access BCD. 
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:24 PM

Posted 21 April 2017 - 07:37 PM

Greetings Abizyan and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

We don't normally work on Servers but I will see what I can do.

Please rerun FRST and copy/paste both the FRST.txt and Addition.txt reports in your reply. If necessary you can separate them into 2 posts.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Abizyan

Abizyan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 23 April 2017 - 02:10 AM

Thank you for your response, but I managed it myself. Coudn't wait so long. Rkill was very useful. Finally our server looks clean. There's last checking running now and there are no any threats found on system disk.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:24 PM

Posted 23 April 2017 - 12:49 PM

We apologize for the delay. Thank you for letting me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:24 PM

Posted 23 April 2017 - 12:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users