Heur.worm.script.generic

[Łowca Androidów]

Witam
Proszę o pomoc w interpretacji loga:
Wirus siedzi na serwerze i jak tylko zostają podłączone do sieci komputery lokalne to od razu są infekowane.
KOmputery ponoć są już czyste, ale problem jest z wyczyszczeniem serwera.
Sprawa dość pilna.
Oto Log z FRST:

Spoiler:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-11-2014 01
Ran by administrator (administrator) on SERVER on 01-12-2014 00:20:06
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profile: administrator (Available profiles: administrator)
Platform: Microsoft(R) Windows(R) Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)



==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NVRaidService] => C:\WINDOWS\system32\nvraidservice.exe [128512 2006-03-16] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2008-07-24] (LogMeIn, Inc.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2013\avgui.exe [4411952 2014-01-21] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor: <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-2409697734-3148070567-3891210445-500\...\MountPoints2: {f0ca3810-51f7-11de-93f8-806e6f6e6963} - D:\setup.exe
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2409697734-3148070567-3891210445-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
HKU\S-1-5-21-2409697734-3148070567-3891210445-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-2409697734-3148070567-3891210445-500 -> DefaultScope {62A1C205-518B-4544-82E3-288091E3483F} URL = http://www.google.nl/search?hl=nl&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2409697734-3148070567-3891210445-500 -> {62A1C205-518B-4544-82E3-288091E3483F} URL = http://www.google.nl/search?hl=nl&q={searchTerms}
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/reso...an8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} https://10.10.10.5:4343/SMB/console/...oot/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} https://10.10.10.5:4343/SMB/console/...AtxConsole.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{2135716E-47A8-4F2A-A58E-CB895D879C1E}: [NameServer] 127.0.0.1

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-07]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-10-14]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 APCPBEAgent; C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe [35960 2012-12-05] (APC)
R2 APCPBEServer; C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe [56520 2012-12-05] (APC)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
R2 BackupExecAgentAccelerator; C:\Program Files\Symantec\Backup Exec\beremote.exe [1135432 2009-04-30] (Symantec Corporation)
R2 BackupExecAgentBrowser; C:\Program Files\Symantec\Backup Exec\benetns.exe [275784 2009-04-30] (Symantec Corporation)
R2 BackupExecDeviceMediaService; C:\Program Files\Symantec\Backup Exec\pvlsvr.exe [1530696 2009-04-30] (Symantec Corporation)
R2 BackupExecJobEngine; C:\Program Files\Symantec\Backup Exec\bengine.exe [3683656 2009-04-30] (Symantec Corporation)
R2 BackupExecRPCService; C:\Program Files\Symantec\Backup Exec\beserver.exe [6629192 2009-04-30] (Symantec Corporation)
R2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-18] (Microsoft Corporation)
R2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [21504 2007-02-18] (Microsoft Corporation)
R2 DNS; C:\WINDOWS\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)
R2 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-18] (Microsoft Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153584 2012-10-14] (Sun Microsystems, Inc.)
R2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2007-02-18] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093872 2008-06-30] (Symantec Corporation)
R2 MSSQL$BKUPEXEC; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29178224 2007-02-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45272 2005-10-14] (Microsoft Corporation)
R2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-18] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-18] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2007-02-18] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2007-02-18] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-18] (Microsoft Corporation)
R2 Eventlog; [X]
S4 UPS; [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21361 2014-04-28] (Cisco Systems, Inc.) [File not signed]
R1 AmdK8; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [36864 2006-07-01] (Advanced Micro Devices)
S3 AR9271; C:\WINDOWS\System32\DRIVERS\athuw.sys [1759584 2010-09-30] (Atheros Communications, Inc.)
R1 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [208184 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [22328 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [39224 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [182072 2014-04-15] (AVG Technologies CZ, s.r.o.)
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-18] (Microsoft Corporation)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-18] (Microsoft Corporation)
R1 giveio; C:\WINDOWS\system32\giveio.sys [5248 1996-04-03] () [File not signed]
R0 nvatabus; C:\WINDOWS\System32\drivers\nvatabus.sys [99840 2006-03-16] (NVIDIA Corporation)
R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [34176 2006-02-17] (NVIDIA Corporation)
R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [13056 2006-02-17] (NVIDIA Corporation) [File not signed]
S1 s32ait; C:\WINDOWS\System32\DRIVERS\s32ait.sys [14208 2007-02-28] (Sony Electronics)
R1 SCSIChanger; C:\WINDOWS\System32\DRIVERS\scsichng.sys [20272 2007-08-23] (Symantec Corporation)
R1 sonysdx-VRTS; C:\WINDOWS\System32\DRIVERS\sonysdx.sys [40760 2007-04-12] (Symantec Corporation)
R1 speedfan; C:\WINDOWS\system32\speedfan.sys [24184 2012-12-29] (Almico Software)
R3 tpfilter; C:\WINDOWS\System32\DRIVERS\tpfilter.sys [32816 2009-04-30] (Symantec Corporation)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-18] (Microsoft Corporation)
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [244608 2006-03-15] (Marvell)
S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 AmdIde; No ImagePath
S4 arc; No ImagePath
S4 cpqarry2; No ImagePath
S4 cpqcissm; No ImagePath
S4 cpqfcalm; No ImagePath
S4 dellcerc; No ImagePath
S3 DhcpListenDriver; \??\C:\Program Files\Trend Micro\Security Server\PCCSRV\Admin\Utility\TMVS\DhcpListenDriver. sys [X]
S4 elxstor; No ImagePath
S4 hpcisss; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S4 IntelIde; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
S4 LMIRfsClientNP; No ImagePath
S4 lp6nds35; No ImagePath
S4 nfrd960; No ImagePath
U5 PSched; C:\Windows\System32\Drivers\PSched.sys [62464 2007-02-18] (Microsoft Corporation)
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-18] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-18] (Microsoft Corporation)
S4 symmpi; No ImagePath
U5 Tape; C:\Windows\System32\Drivers\Tape.sys [22528 2007-02-18] (Microsoft Corporation)
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 00:20 - 2014-12-01 00:21 - 00012978 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2014-12-01 00:19 - 2014-12-01 00:20 - 00000000 ____D () C:\FRST
2014-12-01 00:18 - 2014-12-01 03:17 - 01109504 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2014-11-23 21:36 - 2014-12-01 00:21 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp\2

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 00:19 - 2009-09-07 07:55 - 21480377 _____ () C:\WINDOWS\system32\Dashboard.log
2014-12-01 00:15 - 2013-07-15 09:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2014-12-01 00:00 - 2009-09-03 14:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\LogMeIn
2014-12-01 00:00 - 2009-06-05 17:41 - 00000000 ____D () C:\WINDOWS\system32\dhcp
2014-11-30 14:14 - 2009-06-05 17:41 - 00000000 ____D () C:\WINDOWS\security
2014-11-29 02:54 - 2009-09-04 12:41 - 00065536 _____ () C:\WINDOWS\NETLOGON.CHG
2014-11-23 20:53 - 2014-10-17 18:38 - 00000000 ____D () C:\Program Files\SpeedFan
2014-11-23 20:29 - 2007-02-18 12:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-11-20 00:37 - 2009-06-05 14:56 - 01610019 _____ () C:\WINDOWS\WindowsUpdate.log
2014-11-20 00:34 - 2009-09-04 12:42 - 00002584 _____ () C:\WINDOWS\system32\config\netlogon.dnb
2014-11-20 00:34 - 2009-09-04 12:42 - 00002453 _____ () C:\WINDOWS\system32\config\netlogon.dns
2014-11-20 00:32 - 2009-09-04 12:07 - 00000000 ____D () C:\WINDOWS\NTDS
2014-11-20 00:32 - 2009-06-05 15:02 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-11-20 00:24 - 2009-09-04 12:36 - 00065536 _____ () C:\WINDOWS\system32\config\DnsEvent.Evt
2014-11-20 00:24 - 2009-09-04 12:07 - 00524288 _____ () C:\WINDOWS\system32\config\NTDS.Evt
2014-11-20 00:24 - 2009-09-04 12:07 - 00065536 _____ () C:\WINDOWS\system32\config\NtFrs.Evt
2014-11-19 22:48 - 2009-09-04 13:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Symantec

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== End Of Log ============================

Na moje oko to fixlist powinien wyglądać tak:

Spoiler:

HKLM\...\Command Processor: <======= ATTENTION
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows[/COLOR] Desktop Search\WindowsSearch.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart
Empty Temp:

Są jeszcze 2 wpisy których nie jestem pewien:

to nie wiem co to jest?:
HKU\S-1-5-21-2409697734-3148070567-3891210445-500\...\MountPoints2: {f0ca3810-51f7-11de-93f8-806e6f6e6963} - D:\setup.exe

takie coś widzę pierwszy raz:
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli

[ordynat]

Skoro zarażony jest serwer, to logi z komputera niczego nie zmienią na serwerze.

Otwórz Notatnik i wklej w nim:

KLM\...\Command Processor: <======= ATTENTION
Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{2135716E-47A8-4F2A-A58E-CB895D879C1E}: [NameServer] 127.0.0.1
S4 UPS; [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

Zrób nowy log z FRST.
.

[Łowca Androidów]

Wiem - ten log jest z serwera.

[ordynat]

W każdym bądź razie - wykonaj to, co podałem.

[Łowca Androidów]

Witam ponownie.
Proszę - po wykonaniu skryptu:
Fixlog:

Spoiler:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-11-2014 01
Ran by administrator at 2014-12-01 23:34:25 Run:1
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profile: administrator (Available profiles: administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
KLM\...\Command Processor: <======= ATTENTION
Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{2135716E-47A8-4F2A-A58E-CB895D879C1E}: [NameServer] 127.0.0.1
S4 UPS; [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
EmptyTemp:
*****************

Winsock: Catalog5 entry 000000000003\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{2135716E-47A8-4F2A-A58E-CB895D879C1E}\\NameServer => value deleted successfully.
UPS => Service deleted successfully.
WinHttpAutoProxySvc => Service deleted successfully.
"C:\Windows\system32\codeintegrity\Bootcat.cac he IS MISSING <==== ATTENTION!." => File/Directory not found.
EmptyTemp: => Removed 11.7 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

FRST:

Spoiler:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-11-2014 01
Ran by administrator (administrator) on SERVER on 01-12-2014 23:41:35
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profile: administrator (Available profiles: administrator)
Platform: Microsoft(R) Windows(R) Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)



==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NVRaidService] => C:\WINDOWS\system32\nvraidservice.exe [128512 2006-03-16] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2008-07-24] (LogMeIn, Inc.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2013\avgui.exe [4411952 2014-01-21] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor: <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-2409697734-3148070567-3891210445-500\...\MountPoints2: {f0ca3810-51f7-11de-93f8-806e6f6e6963} - D:\setup.exe
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2409697734-3148070567-3891210445-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
HKU\S-1-5-21-2409697734-3148070567-3891210445-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-2409697734-3148070567-3891210445-500 -> DefaultScope {62A1C205-518B-4544-82E3-288091E3483F} URL = http://www.google.nl/search?hl=nl&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2409697734-3148070567-3891210445-500 -> {62A1C205-518B-4544-82E3-288091E3483F} URL = http://www.google.nl/search?hl=nl&q={searchTerms}
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/reso...an8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} https://10.10.10.5:4343/SMB/console/...oot/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} https://10.10.10.5:4343/SMB/console/...AtxConsole.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 03 %SystemRoot%\system32\NLAapi.dll File Not found ()

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-07]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-10-14]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 APCPBEAgent; C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe [35960 2012-12-05] (APC)
R2 APCPBEServer; C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe [56520 2012-12-05] (APC)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
R2 BackupExecAgentAccelerator; C:\Program Files\Symantec\Backup Exec\beremote.exe [1135432 2009-04-30] (Symantec Corporation)
R2 BackupExecAgentBrowser; C:\Program Files\Symantec\Backup Exec\benetns.exe [275784 2009-04-30] (Symantec Corporation)
R2 BackupExecDeviceMediaService; C:\Program Files\Symantec\Backup Exec\pvlsvr.exe [1530696 2009-04-30] (Symantec Corporation)
R2 BackupExecJobEngine; C:\Program Files\Symantec\Backup Exec\bengine.exe [3683656 2009-04-30] (Symantec Corporation)
R2 BackupExecRPCService; C:\Program Files\Symantec\Backup Exec\beserver.exe [6629192 2009-04-30] (Symantec Corporation)
R2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-18] (Microsoft Corporation)
R2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [21504 2007-02-18] (Microsoft Corporation)
R2 DNS; C:\WINDOWS\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)
R2 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-18] (Microsoft Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153584 2012-10-14] (Sun Microsystems, Inc.)
R2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2007-02-18] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093872 2008-06-30] (Symantec Corporation)
R2 MSSQL$BKUPEXEC; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29178224 2007-02-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45272 2005-10-14] (Microsoft Corporation)
R2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-18] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-18] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2007-02-18] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2007-02-18] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-18] (Microsoft Corporation)
R2 Eventlog; [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21361 2014-04-28] (Cisco Systems, Inc.) [File not signed]
R1 AmdK8; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [36864 2006-07-01] (Advanced Micro Devices)
S3 AR9271; C:\WINDOWS\System32\DRIVERS\athuw.sys [1759584 2010-09-30] (Atheros Communications, Inc.)
R1 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [208184 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [22328 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [39224 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [182072 2014-04-15] (AVG Technologies CZ, s.r.o.)
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-18] (Microsoft Corporation)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-18] (Microsoft Corporation)
R1 giveio; C:\WINDOWS\system32\giveio.sys [5248 1996-04-03] () [File not signed]
R0 nvatabus; C:\WINDOWS\System32\drivers\nvatabus.sys [99840 2006-03-16] (NVIDIA Corporation)
R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [34176 2006-02-17] (NVIDIA Corporation)
R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [13056 2006-02-17] (NVIDIA Corporation) [File not signed]
S1 s32ait; C:\WINDOWS\System32\DRIVERS\s32ait.sys [14208 2007-02-28] (Sony Electronics)
R1 SCSIChanger; C:\WINDOWS\System32\DRIVERS\scsichng.sys [20272 2007-08-23] (Symantec Corporation)
R1 sonysdx-VRTS; C:\WINDOWS\System32\DRIVERS\sonysdx.sys [40760 2007-04-12] (Symantec Corporation)
R1 speedfan; C:\WINDOWS\system32\speedfan.sys [24184 2012-12-29] (Almico Software)
R3 tpfilter; C:\WINDOWS\System32\DRIVERS\tpfilter.sys [32816 2009-04-30] (Symantec Corporation)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-18] (Microsoft Corporation)
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [244608 2006-03-15] (Marvell)
S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 AmdIde; No ImagePath
S4 arc; No ImagePath
S4 cpqarry2; No ImagePath
S4 cpqcissm; No ImagePath
S4 cpqfcalm; No ImagePath
S4 dellcerc; No ImagePath
S3 DhcpListenDriver; \??\C:\Program Files\Trend Micro\Security Server\PCCSRV\Admin\Utility\TMVS\DhcpListenDriver. sys [X]
S4 elxstor; No ImagePath
S4 hpcisss; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S4 IntelIde; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
S4 LMIRfsClientNP; No ImagePath
S4 lp6nds35; No ImagePath
S4 nfrd960; No ImagePath
U5 PSched; C:\Windows\System32\Drivers\PSched.sys [62464 2007-02-18] (Microsoft Corporation)
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-18] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-18] (Microsoft Corporation)
S4 symmpi; No ImagePath
U5 Tape; C:\Windows\System32\Drivers\Tape.sys [22528 2007-02-18] (Microsoft Corporation)
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 23:41 - 2014-12-01 23:42 - 00012750 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2014-12-01 23:39 - 2014-12-01 23:42 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp\1
2014-12-01 23:35 - 2014-12-01 23:41 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\stare logi
2014-12-01 00:19 - 2014-12-01 23:41 - 00000000 ____D () C:\FRST
2014-12-01 00:18 - 2014-12-01 03:17 - 01109504 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 23:41 - 2009-06-05 14:56 - 01626321 _____ () C:\WINDOWS\WindowsUpdate.log
2014-12-01 23:40 - 2009-09-04 13:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Symantec
2014-12-01 23:40 - 2009-06-05 17:46 - 01049274 _____ () C:\WINDOWS\setupapi.log
2014-12-01 23:39 - 2009-09-04 12:41 - 00065536 _____ () C:\WINDOWS\NETLOGON.CHG
2014-12-01 23:39 - 2009-06-05 17:41 - 00000000 ____D () C:\WINDOWS\system32\dhcp
2014-12-01 23:38 - 2009-09-04 12:42 - 00002584 _____ () C:\WINDOWS\system32\config\netlogon.dnb
2014-12-01 23:38 - 2009-09-04 12:42 - 00002453 _____ () C:\WINDOWS\system32\config\netlogon.dns
2014-12-01 23:37 - 2009-09-04 12:07 - 00000000 ____D () C:\WINDOWS\NTDS
2014-12-01 23:37 - 2009-06-05 15:02 - 00232606 _____ () C:\WINDOWS\PFRO.log
2014-12-01 23:37 - 2009-06-05 15:02 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-12-01 23:35 - 2009-09-04 12:36 - 00065536 _____ () C:\WINDOWS\system32\config\DnsEvent.Evt
2014-12-01 23:35 - 2009-09-04 12:07 - 00524288 _____ () C:\WINDOWS\system32\config\NTDS.Evt
2014-12-01 23:35 - 2009-09-04 12:07 - 00065536 _____ () C:\WINDOWS\system32\config\NtFrs.Evt
2014-12-01 23:35 - 2009-06-05 15:02 - 00032644 _____ () C:\WINDOWS\Tasks\SchedLgU.Txt
2014-12-01 23:33 - 2009-09-07 07:55 - 21587845 _____ () C:\WINDOWS\system32\Dashboard.log
2014-12-01 23:15 - 2013-07-15 09:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2014-12-01 22:10 - 2009-06-05 17:41 - 00000000 ____D () C:\WINDOWS\security
2014-12-01 00:00 - 2009-09-03 14:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\LogMeIn
2014-11-23 20:53 - 2014-10-17 18:38 - 00000000 ____D () C:\Program Files\SpeedFan
2014-11-23 20:29 - 2007-02-18 12:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== End Of Log ============================

Addition:

Spoiler:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 30-11-2014 01
Ran by administrator at 2014-12-01 23:42:27
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Normal
================================================== ========


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 13 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 13.0.0.182 - Adobe Systems Incorporated)
AVG (HKLM\...\AVG) (Version: 3469 - AVG Technologies)
AVG 2013 (Version: 13.0.3469 - AVG Technologies) Hidden
AVG 2013 (Version: 13.0.3722 - AVG Technologies) Hidden
ISSA Ship Stores Catalogue 2013 (HKLM\...\{0120417A-162F-4FE7-8ABB-FA4D4A1B0B7C}) (Version: 1.0.0 - Ascent Software Ltd)
Java(TM) 6 Update 35 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216035FF}) (Version: 6.0.350 - Oracle)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.69 - Symantec Corporation)
LOCOPIAS "IJSSELBORG" (HKLM\...\LOCOPIAS IJSSELBORG) (Version: - )
LogMeIn (HKLM\...\{7F831576-6246-42C7-B523-55B3F96509CC}) (Version: 4.0.784 - LogMeIn, Inc.)
Marad version 4.00 (HKLM\...\Marad_is1) (Version: - )
Marvell Miniport Driver (HKLM\...\{C950420B-4182-49EA-850A-A6A2ABF06C6B}) (Version: 8.51.5.3 - Marvell)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Report Viewer Redistributable 2005 (HKLM\...\Microsoft Report Viewer Redistributable 2005) (Version: - Microsoft Corporation)
Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version: - Microsoft Corporation)
Microsoft SQL Server 2005 Backward compatibility (HKLM\...\{12508FB2-89EC-4BE6-B5F7-644E8F95AF7B}) (Version: 8.05.2102 - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}) (Version: 9.00.3042.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.3042.00 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}) (Version: 9.00.3042.00 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB2758696) (HKLM\...\{E46A76D1-9FB9-4770-BA24-3975EF4D120A}) (Version: 6.20.2016.0 - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: - )
PowerChute Business Edition Agent (HKLM\...\{BCE9F441-9027-4911-82E0-5FB28057897D}) (Version: 9.0.2.614 - American Power Conversion)
PowerChute Business Edition Console (HKLM\...\{0F86FD09-BA63-4E45-A70B-604C1106C2F2}) (Version: 9.1.0.614 - American Power Conversion)
PowerChute Business Edition Server (HKLM\...\{A6491A4A-AAA0-4892-BFEF-ECD6CECE2FF3}) (Version: 9.1.0.614 - American Power Conversion)
SpeedFan (remove only) (HKLM\...\SpeedFan) (Version: - )
Symantec Backup Exec (TM) 12.5 for Windows Servers (HKLM\...\Symantec Backup Exec 12.5) (Version: 12.5.2213 - Symantec Corporation)
Symantec Backup Exec for Windows Servers (Service Pack 2) (HKLM\...\{BF48F687-3B2D-45B8-AD82-24FBDE5B1391}) (Version: - Symantec Corporation)
Symantec Backup Exec for Windows Servers (Version: 12.5.2213 - Symantec Corporation) Hidden
Symantec Backup Exec License Assessment Tool (Version: 2.0.0 - Symantec Corporation) Hidden
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) (HKLM\...\53F13DB4D9611FD63BE580F06F0729BF236ABE68 ) (Version: 05/27/2006 1.3.2.0 - Advanced Micro Devices)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version: - Microsoft Corporation)
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2409697734-3148070567-3891210445-500_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)

==================== Restore Points =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2007-02-18 12:00 - 2007-02-18 12:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (whitelisted) =============


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Min imal\wd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\nm => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\nm.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\UploadMgr => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
Guest (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SUPPORT_388945a0 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
Ship Office (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
Engineroom (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
Cheng (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
Captain (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
Wheelhouse (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
officer (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ijsselborg (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SERVER$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
WORKSTATION1$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
WORKSTATION5$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
WORKSTATION4$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
WORKSTATION3$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
WORKSTATION2$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
WORKSTATION6$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IJSSELBORG$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:41:56 PM) (Source: crypt32) (EventID: (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (12/01/2014 11:41:56 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


System errors:
=============
Error: (12/01/2014 11:39:32 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:39:32 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver SkyFile required for printer SkyFile is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:39:28 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver hpfax1 required for printer HP Color LaserJet CM1312 MFP Series Fax is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:39:27 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver HP Color LaserJet CM1312 MFP Series PCL 6 required for printer HP Color LaserJet CM1312 MFP Series PCL 6 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:39:27 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver HP Deskjet 6980 series required for printer HP DeskJet 6980 series is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:39:26 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Canon MP270 series Printer required for printer Canon MP270 series Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:39:16 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (12/01/2014 11:33:43 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver SkyFile required for printer SkyFile is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:33:43 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/01/2014 11:33:42 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver hpfax1 required for printer HP Color LaserJet CM1312 MFP Series Fax is unknown. Contact the administrator to install the driver before you log in again.


Microsoft Office Sessions:
=========================
Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: http://www.download.windowsupdate.co...ootseq.txtThis network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.co...throotstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: http://www.download.windowsupdate.co...ootseq.txtThis network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.co...throotstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: http://www.download.windowsupdate.co...ootseq.txtThis network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.co...throotstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: (User: )
Description: http://www.download.windowsupdate.co...ootseq.txtThis network connection does not exist.

Error: (12/01/2014 11:42:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.co...throotstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/01/2014 11:41:56 PM) (Source: crypt32) (EventID: (User: )
Description: http://www.download.windowsupdate.co...ootseq.txtThis network connection does not exist.

Error: (12/01/2014 11:41:56 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.co...throotstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


==================== Memory info ===========================

Processor: Dual-Core AMD Opteron(tm) Processor 1212
Percentage of memory in use: 74%
Total physical RAM: 1006.37 MB
Available physical RAM: 254.69 MB
Total Pagefile: 2432.7 MB
Available Pagefile: 1665.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1945.24 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:40 GB) (Free:29.52 GB) NTFS
Drive e: (Officers) (Fixed) (Total:97.66 GB) (Free:71.02 GB) NTFS
Drive f: (Data) (Fixed) (Total:563.78 GB) (Free:520.69 GB) NTFS

==================== MBR & Partition Table ==================

================================================== ======
Disk: 0 (MBR Code: Windows XP) (Size: 701.5 GB) (Disk ID: F745F745)
Partition 1: (Active) - (Size=40 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=563.8 GB) - (Type=07 NTFS)

[ordynat]

C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

Winsock: Catalog5 03 %SystemRoot%\system32\NLAapi.dll File Not found ()

HKLM\...\Command Processor: <======= ATTENTION

Nie wiem, czy może tak powinno być na serwerze?
Na normalnym komputerze to nie byłoby OK.
.

[Łowca Androidów]

No właśnie - to jest problem, że to serwer i tu logi wyglądają inaczej
Dzięki za pomoc.