lsass.exe suspicious activity

[jackfrusciante]

Hello to everyone i have a server mahcine running windows server 2012, from a while i noticed a suspicious activity of the lsass.exe process that it is gonna to saturate my bandwith and slow down the machine

 

as you can see my a lot of strange ip are generating traffic on my machine,

i already pperformed some scan with Malwareantibytes :

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/14/18
Scan Time: 3:41 PM
Log File: 8091c736-3fe9-11e8-b16e-d05099afe6ef.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4732
License: Trial

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 292440
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 3 min, 28 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

with FRST:

Quote

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by mattia (administrator) on EA-SERVER (14-04-2018 16:31:12)
Running from C:\Users\mattia\Downloads
Loaded Profiles: mattia & MediaAdmin$ & mignolo (Available Profiles: mattia & MediaAdmin$ & mignolo & Administrator)
Platform: Windows Server 2012 R2 Essentials (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Microsoft Corporation) C:\Windows\System32\certsrv.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\System32\silsvc.exe
(Microsoft Corporation) C:\Windows\System32\smbhash.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\WSSBackup.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\storageservice.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\ProviderRegistryService.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\SharedServiceHost.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\SharedServiceHost.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\SharedServiceHost.exe
(Microsoft Corporation) C:\Windows\System32\wbengine.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\MediaStreamingProvider.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(MetaQuotes Software Corp.) C:\MT4-PEM\terminal.exe
(FastStone Soft) C:\Users\mattia\Desktop\FSCapture88\FSCapture.exe
(Microsoft Corporation) C:\Windows\System32\scrnsave.scr
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11776 2014-10-29] (Microsoft Corporation)
Lsa: [Notification Packages] rassfm scecli PwdFilt
SecurityProviders: credssp.dll, pwdssp.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MT4-PEM.lnk [2017-10-24]
ShortcutTarget: MT4-PEM.lnk -> C:\MT4-PEM\terminal.exe (MetaQuotes Software Corp.)
Startup: C:\Users\mattia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastStone Capture.lnk [2018-03-20]
ShortcutTarget: FastStone Capture.lnk -> C:\Users\mattia\Desktop\FSCapture88\FSCapture.exe (FastStone Soft)
BootExecute: autocheck autochk /q /v *
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{4E82B7F5-6A7D-4BA0-A416-CDB4E4EC58A1}: [NameServer] 208.67.220.220,208.67.222.222

Internet Explorer:
==================
HKU\S-1-5-21-1475991681-507444292-3624784772-1001\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
HKU\S-1-5-21-1475991681-507444292-3624784772-1121\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
URLSearchHook: [S-1-5-21-1475991681-507444292-3624784772-1116] ATTENTION => Default URLSearchHook is missing

FireFox:
========
FF DefaultProfile: 89iyeeyz.default
FF ProfilePath: C:\Users\mattia\AppData\Roaming\Mozilla\Firefox\Profiles\89iyeeyz.default [2018-04-14]
FF Extension: (TLS 1.3 gradual roll-out) - C:\Users\mattia\AppData\Roaming\Mozilla\Firefox\Profiles\89iyeeyz.default\features\{96cf8128-a6b3-48c8-b65b-0b6948518f47}\tls13-rollout-bug1442042@mozilla.org.xpi [2018-04-14] [Legacy]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"silsvc" => service was unlocked. <==== ATTENTION

R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [478720 2017-10-17] (Microsoft Corporation)
R2 CertSvc; C:\Windows\system32\certsrv.exe [765440 2016-05-18] (Microsoft Corporation)
R2 Dfs; C:\Windows\system32\dfssvc.exe [451584 2014-03-06] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [3906560 2017-07-20] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [1737216 2017-06-13] (Microsoft Corporation)
S3 DsRoleSvc; C:\Windows\system32\dsrolesrv.dll [280064 2017-10-17] (Microsoft Corporation)
R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [372736 2014-04-01] (Microsoft Corporation)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [16896 2017-10-17] (Microsoft Corporation)
R2 IsmServ; C:\Windows\System32\ismserv.exe [64512 2017-10-17] (Microsoft Corporation)
R2 Kdc; C:\Windows\system32\kdcsvc.dll [562688 2017-10-14] (Microsoft Corporation)
S3 KdsSvc; C:\Windows\system32\KdsSvc.dll [36352 2017-10-17] (Microsoft Corporation)
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [173056 2013-08-22] (Microsoft Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6479136 2018-03-27] (Malwarebytes)
R2 NTDS; C:\Windows\system32\ntdsa.dll [97280 2017-10-17] (Microsoft Corporation)
S4 NtFrs; C:\Windows\system32\ntfrs.exe [1001472 2017-10-17] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [85504 2013-08-22] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [76288 2013-08-22] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [15872 2013-08-22] (Microsoft Corporation)
R2 ServiceProviderRegistry; C:\Windows\System32\Essentials\ProviderRegistryService.exe [34816 2014-03-18] (Microsoft Corporation)
R2 silsvc; C:\Windows\system32\silsvc.exe [552960 2014-03-18] (Microsoft Corporation)
R2 SmbHash; C:\Windows\System32\smbhash.exe [75264 2014-03-18] (Microsoft Corporation)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [249344 2014-09-05] (Microsoft Corporation)
R2 WseComputerBackupSvc; C:\Windows\System32\Essentials\WSSBackup.exe [806400 2014-04-03] (Microsoft Corporation)
R2 WseMediaSvc; C:\Windows\System32\Essentials\MediaStreamingProvider.exe [69632 2014-03-18] (Microsoft Corporation)
R2 WseStorageSvc; C:\Windows\System32\Essentials\storageservice.exe [793600 2014-03-18] (Microsoft Corporation)
S4 WseEmailSvc; "%SystemRoot%\System32\Essentials\SharedServiceHost.exe" "%SystemRoot%\System32\Essentials\EmailProviderServiceConfig" [X]
R2 WseHealthSvc; "%SystemRoot%\System32\Essentials\SharedServiceHost.exe" "%SystemRoot%\System32\Essentials\HealthServiceConfig" [X]
R2 WseMgmtSvc; "%SystemRoot%\System32\Essentials\SharedServiceHost.exe" "%SystemRoot%\System32\Essentials\ManagementServiceConfig" [X]
R2 WseNtfSvc; "%SystemRoot%\System32\Essentials\SharedServiceHost.exe" "%SystemRoot%\System32\Essentials\NotificationServiceConfig" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 bfadfcoei; C:\Windows\System32\drivers\bfadfcoei.sys [2265440 2013-08-22] (Brocade Communications Systems, Inc.)
S0 bfadi; C:\Windows\System32\drivers\bfadi.sys [2265440 2013-08-22] (Brocade Communications Systems, Inc.)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [187744 2013-08-22] (Broadcom Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [560480 2013-08-22] (Broadcom Corporation)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [54624 2014-03-18] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66400 2017-10-17] (Microsoft Corporation)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [712032 2013-08-22] (Emulex)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [76192 2018-03-19] ()
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193768 2018-04-14] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [112864 2018-04-14] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [44768 2018-04-14] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-04-14] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [102112 2018-04-14] (Malwarebytes)
S3 MsLbfoProvider; C:\Windows\system32\DRIVERS\MsLbfoProvider.sys [117760 2016-07-09] (Microsoft Corporation)
R3 PeerDistKM; C:\Windows\System32\drivers\peerdistkm.sys [128512 2014-07-12] (Microsoft Corporation)
S0 ql2300i; C:\Windows\System32\drivers\ql2300i.sys [1508704 2013-08-22] (QLogic Corporation)
S0 ql40xx2i; C:\Windows\System32\drivers\ql40xx2i.sys [475488 2013-08-22] (QLogic Corporation)
S0 qlfcoei; C:\Windows\System32\drivers\qlfcoei.sys [1300320 2013-08-22] (QLogic Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [94048 2013-08-22] (Microsoft Corporation)
S3 smbdirect; C:\Windows\System32\DRIVERS\smbdirect.sys [145920 2014-03-20] (Microsoft Corporation)
S3 wtlmdrv; C:\Windows\System32\drivers\wtlmdrv.sys [31232 2013-08-22] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== Three Months Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-14 16:31 - 2018-04-14 16:33 - 000011027 _____ C:\Users\mattia\Downloads\FRST.txt
2018-04-14 16:30 - 2018-04-14 16:31 - 000000000 ____D C:\FRST
2018-04-14 16:30 - 2018-04-14 16:30 - 002403328 _____ (Farbar) C:\Users\mattia\Downloads\FRST64.exe
2018-04-14 16:03 - 2018-04-14 16:21 - 000000000 ____D C:\Users\mattia\Desktop\mbar
2018-04-14 16:03 - 2018-04-14 16:21 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-04-14 16:03 - 2018-04-14 16:03 - 014178840 _____ (Malwarebytes Corp.) C:\Users\mattia\Downloads\mbar-1.10.3.1001.exe
2018-04-14 16:03 - 2018-04-14 16:03 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\552687B8.sys
2018-04-14 14:19 - 2018-04-14 14:19 - 000044768 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-04-14 14:18 - 2018-04-14 16:22 - 000102112 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-04-14 14:18 - 2018-04-14 14:18 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-04-14 14:18 - 2018-04-14 14:18 - 000193768 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-04-14 14:18 - 2018-04-14 14:18 - 000112864 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-04-14 14:18 - 2018-04-14 14:18 - 000001883 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-04-14 14:18 - 2018-04-14 14:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-04-14 14:18 - 2018-03-19 12:57 - 000076192 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-04-14 14:17 - 2018-04-14 16:04 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-04-14 14:17 - 2018-04-14 14:17 - 000000000 ____D C:\Program Files\Malwarebytes
2018-04-14 14:16 - 2018-04-14 14:17 - 071942408 _____ (Malwarebytes ) C:\Users\mattia\Downloads\mb3-setup-35891.35891-3.4.5.2467-1.0.342-1.0.4514.exe
2018-04-14 03:07 - 2018-04-14 03:10 - 000000000 ____D C:\Users\mattia\Downloads\Star.Wars.Episode.II.Attack.of.the.Clones.2002.720p.BluRay.x264-NeZu
2018-04-14 00:30 - 2018-04-14 00:30 - 000000000 ____D C:\Users\mattia\Downloads\Star Wars Episode I The Phantom Menace (1999) [1080p]
2018-04-11 23:09 - 2018-04-11 23:09 - 000000000 ____D C:\Users\mattia\Downloads\MT4-TopFX
2018-04-11 23:09 - 2018-04-11 23:09 - 000000000 ____D C:\Users\mattia\Downloads\MT4-PEM
2018-03-20 09:41 - 2018-04-10 23:03 - 000000000 ____D C:\Users\mattia\Desktop\comparazione spread
2018-03-20 09:39 - 2018-03-20 09:40 - 000000000 ____D C:\Users\mattia\Desktop\FSCapture88
2018-03-18 13:56 - 2018-03-18 14:01 - 000000000 ____D C:\MT4-TopFX
2018-02-18 18:09 - 2018-04-14 16:32 - 000003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1475991681-507444292-3624784772-1121
2018-02-05 03:13 - 2018-04-14 15:33 - 000000000 ____D C:\Users\mignolo
2018-02-05 03:13 - 2018-02-05 03:14 - 000000000 ____D C:\Users\mignolo\AppData\Roaming\MetaQuotes
2018-02-05 03:13 - 2018-02-05 03:13 - 000001442 _____ C:\Users\mignolo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-02-05 03:13 - 2018-02-05 03:13 - 000000020 ___SH C:\Users\mignolo\ntuser.ini
2018-02-05 03:13 - 2018-02-05 03:13 - 000000000 ____D C:\Users\mignolo\AppData\Roaming\Adobe
2018-02-05 03:13 - 2018-02-05 03:13 - 000000000 ____D C:\Users\mignolo\AppData\Local\VirtualStore
2018-02-05 03:13 - 2018-02-05 03:13 - 000000000 ____D C:\Users\mignolo\AppData\Local\Packages
2018-02-05 03:13 - 2014-03-18 11:46 - 000000369 _____ C:\Users\mignolo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2018-02-05 03:13 - 2014-03-18 11:46 - 000000369 _____ C:\Users\mignolo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2018-01-14 16:19 - 2018-01-14 16:19 - 000000000 ____D C:\Users\mattia\Documents\myfxbook
2018-01-14 15:35 - 2018-01-14 15:35 - 000000000 ____D C:\Users\mattia\Documents\PS

==================== Three Months Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-14 16:32 - 2017-10-17 21:56 - 000003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1475991681-507444292-3624784772-1001
2018-04-14 16:27 - 2017-10-17 22:03 - 000000948 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-04-14 16:27 - 2017-10-17 22:03 - 000000000 ____D C:\Users\mattia\AppData\LocalLow\Mozilla
2018-04-14 16:27 - 2017-10-17 22:03 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-04-14 16:27 - 2017-10-17 22:03 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-04-14 15:41 - 2017-10-17 21:47 - 000000000 ____D C:\Windows\NTDS
2018-04-14 15:18 - 2017-10-17 21:45 - 000000000 ____D C:\Users\mattia
2018-04-14 13:54 - 2017-10-21 03:59 - 000000000 ____D C:\Users\mattia\AppData\Roaming\qBittorrent
2018-04-14 13:00 - 2017-10-17 21:52 - 000000508 _____ C:\Windows\Tasks\ShadowCopyVolume{cec124d8-b214-11e7-80b5-806e6f6e6963}.job
2018-04-11 11:31 - 2013-08-22 17:20 - 000000000 ____D C:\Windows\CbsTemp
2018-04-10 23:20 - 2014-03-18 11:46 - 000990262 _____ C:\Windows\system32\PerfStringBackup.INI
2018-04-10 23:20 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\Inf
2018-04-10 23:19 - 2017-10-17 21:49 - 000007288 _____ C:\Windows\system32\config\netlogon.dnb
2018-04-10 23:19 - 2017-10-17 21:49 - 000002635 _____ C:\Windows\system32\config\netlogon.dns
2018-04-10 23:15 - 2013-08-22 17:39 - 000000000 ____D C:\Windows\system32\inetsrv
2018-04-10 23:13 - 2017-10-17 21:51 - 000000000 ____D C:\Windows\system32\CertLog
2018-04-10 23:13 - 2017-10-17 21:46 - 000000000 ____D C:\Windows\system32\dns
2018-04-10 23:13 - 2013-08-22 16:48 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-04-10 23:12 - 2013-08-22 15:25 - 000008192 ___SH C:\Windows\system32\config\BBI

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
bootshutdowndisabled    Yes
default                 {current}
resumeobject            {1b2566c4-b21d-11e7-8c8a-f0c4aa984f82}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows Server 2012 R2
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {1b2566c6-b21d-11e7-8c8a-f0c4aa984f82}
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {1b2566c4-b21d-11e7-8c8a-f0c4aa984f82}
nx                      OptOut
bootstatuspolicy        IgnoreAllFailures

Windows Boot Loader
-------------------
identifier              {1b2566c6-b21d-11e7-8c8a-f0c4aa984f82}
device                  ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{1b2566c7-b21d-11e7-8c8a-f0c4aa984f82}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
locale                  en-US
inherit                 {bootloadersettings}
displaymessage          Recovery
displaymessageoverride  Recovery
osdevice                ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{1b2566c7-b21d-11e7-8c8a-f0c4aa984f82}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {1b2566c4-b21d-11e7-8c8a-f0c4aa984f82}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {1b2566c6-b21d-11e7-8c8a-f0c4aa984f82}
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {1b2566c7-b21d-11e7-8c8a-f0c4aa984f82}
description             Windows Recovery
ramdisksdidevice        partition=\Device\HarddiskVolume1
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

LastRegBack: 2018-04-06 04:31

==================== End of FRST.txt ============================

Additions of Farbar:

Quote

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by mattia (14-04-2018 16:35:40)
Running from C:\Users\mattia\Downloads
Windows Server 2012 R2 Essentials (X64) (2017-10-16 01:58:31)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2050850874-1060108300-1411042531-500 - Administrator - Disabled)
Guest (S-1-5-21-2050850874-1060108300-1411042531-501 - Limited - Disabled)
krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
mattia (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
mignolo (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
EA-SERVER$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
MediaAdmin$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Ava MetaTrader (HKLM-x32\...\Ava MetaTrader) (Version: 4.00 - MetaQuotes Software Corp.)
Malwarebytes version 3.4.5.2467 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.5.2467 - Malwarebytes)
Mozilla Firefox 59.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 59.0.2 (x64 en-US)) (Version: 59.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.1 - Mozilla)
qBittorrent 3.3.16 (HKLM-x32\...\qBittorrent) (Version: 3.3.16 - The qBittorrent project)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {22F8933B-6077-471D-A4C3-56C7647164AD} - System32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs => %systemroot%\system32\cscript.exe /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1) $(Arg2)
Task: {6247312B-ED55-409C-9AE0-2B3DFC12A2ED} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\Save Customer Experience Improvement Program Data => C:\Windows\System32\Essentials\RunTask.exe [2014-03-18] (Microsoft Corporation)
Task: {646E7FFD-9752-4820-9D2B-1B47DB80A6DE} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\Alert Evaluations => C:\Windows\System32\Essentials\RunTask.exe [2014-03-18] (Microsoft Corporation)
Task: {651FF2A7-84D4-4AE6-9231-BB0411D3A64F} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2013-08-22] (Microsoft Corporation)
Task: {787E2442-1350-4D4B-B3DF-F73EDF626879} - System32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor => %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)"
Task: {8851D436-E062-4F29-B4CC-74E060F780C7} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Configuration => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd configure
Task: {92849669-6BE8-44C6-8554-2EEA2273EE69} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Collection => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd publish
Task: {929D3BE2-6486-429C-911B-1B5E93FD4417} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\Macintosh Status Report => C:\Windows\System32\Essentials\RunTask.exe [2014-03-18] (Microsoft Corporation)
Task: {9536335E-476B-42F7-8624-2308CA0F222B} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2013-08-22] (Microsoft Corporation)
Task: {C1EFD1DB-1955-41CC-9790-A03764A87A47} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\BPA Scheduled Scan => C:\Windows\system32\windowspowershell\v1.0\powershell.exe -EncodedCommand SQBuAHYAbwBrAGUALQBXAHMAcwBCAHAAYQBTAGMAYQBuAA== -NoLogo -NoProfile -NonInteractive
Task: {CE71BEFA-3309-4B41-AB2F-481B2FE801DA} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\Backup Cleanup => C:\Windows\System32\Essentials\RunTask.exe [2014-03-18] (Microsoft Corporation)
Task: {E0FD8466-EAA7-409C-B46A-6AECAFD21A25} - System32\Tasks\ShadowCopyVolume{cec124d8-b214-11e7-80b5-806e6f6e6963} => C:\Windows\system32\vssadmin.exe [2014-10-29] (Microsoft Corporation)
Task: {EF3F711C-4297-4B85-B877-4023ECA46AE8} - System32\Tasks\Microsoft\Windows\Windows Server Essentials\Consistency Check => C:\Windows\System32\Essentials\RunTask.exe [2014-03-18] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\ShadowCopyVolume{cec124d8-b214-11e7-80b5-806e6f6e6963}.job => C:\Windows\system32\vssadmin.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2018-04-14 14:18 - 2018-03-12 15:09 - 002300192 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-04-14 14:18 - 2018-03-27 13:47 - 002492704 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2018-01-14 16:21 - 2018-01-14 16:19 - 000016384 _____ () C:\MT4-PEM\MQL4\Libraries\Myfxbook.dll
2018-01-14 15:39 - 2018-01-14 15:35 - 000006144 _____ () C:\MT4-PEM\MQL4\Libraries\Simpletrader MT4.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2013-08-22 15:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1475991681-507444292-3624784772-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\mattia\AppData\Roaming\Mozilla\Firefox\Sfondo del desktop.bmp
HKU\S-1-5-21-1475991681-507444292-3624784772-1121\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 208.67.220.220 - 208.67.222.222
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [CoreNet-GP-LSASS-Out-TCP] => (Block) %SystemRoot%\system32\lsass.exe
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe
FirewallRules: [WindowsServerBackup-wbengine-In-TCP-NoScope] => (Allow) %systemroot%\system32\wbengine.exe
FirewallRules: [{AD646AFB-5D96-4DF4-A52F-B1C11C6C4C69}] => (Allow) LPort=6602
FirewallRules: [{0920CF82-98A0-4B07-BBBF-01289477C1FB}] => (Allow) LPort=8912
FirewallRules: [{B065B09A-7300-45F9-879F-E61FEADD92F0}] => (Allow) LPort=8912
FirewallRules: [{4F1F0D9F-D3C7-4133-8A00-33F3A3105140}] => (Allow) LPort=65520
FirewallRules: [NTFRS-NTFRSSvc-In-TCP] => (Allow) %SystemRoot%\system32\NTFRS.exe
FirewallRules: [ADWS-TCP-In] => (Allow) %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe
FirewallRules: [ADWS-TCP-Out] => (Allow) %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe
FirewallRules: [DFSR-DFSRSvc-In-TCP] => (Allow) %SystemRoot%\system32\dfsrs.exe
FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe
FirewallRules: [DNSSrv-DNS-TCP-In] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-DNS-UDP-In] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-RPC-TCP-In] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-TCP-Out] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-UDP-Out] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [Microsoft-Windows-CertificateServices-CertSvc-RPC-TCP-In] => (Allow) %systemroot%\system32\certsrv.exe
FirewallRules: [Microsoft-Windows-CertificateServices-CertSvc-TCP-Out] => (Allow) %systemroot%\system32\certsrv.exe
FirewallRules: [{7574DA40-5304-46B6-90DB-E1B0BE5BF138}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{A7230AA5-94AF-4CE8-B5A9-7F7E63AEF3AD}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{149D3B87-5194-4110-90D9-87817CF6D7FF}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
FirewallRules: [{CB09259E-51DE-4272-9758-8A56367C00A3}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
FirewallRules: [{847415D9-01AC-450A-918A-57FF3D3B7180}] => (Allow) C:\Program Files\MetaTrader\metatester64.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (04/14/2018 02:48:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Dashboard.exe, version: 6.3.9600.17393, time stamp: 0x54333ee9
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f33794
Exception code: 0xc000041d
Fault offset: 0x00000000000095fc
Faulting process id: 0x1bec
Faulting application start time: 0x01d3d3eec1fd2980
Faulting application path: C:\Windows\system32\Essentials\Dashboard.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 2f2f1d92-3fe2-11e8-80c4-d05099afe6ef
Faulting package full name:
Faulting package-relative application ID:

Error: (04/14/2018 02:48:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Dashboard.exe, version: 6.3.9600.17393, time stamp: 0x54333ee9
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f33794
Exception code: 0xe0434352
Fault offset: 0x00000000000095fc
Faulting process id: 0x1bec
Faulting application start time: 0x01d3d3eec1fd2980
Faulting application path: C:\Windows\system32\Essentials\Dashboard.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 2d7ad524-3fe2-11e8-80c4-d05099afe6ef
Faulting package full name:
Faulting package-relative application ID:

Error: (04/14/2018 02:48:49 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Dashboard.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ArgumentException
   at System.Drawing.Font.GetHeight(System.Drawing.Graphics)
   at System.Drawing.Font.GetHeight()
   at System.Drawing.Font.get_Height()
   at System.Windows.Forms.Control.get_FontHeight()
   at System.Windows.Forms.Control.get_FontHeight()
   at System.Windows.Forms.TextBoxBase.get_PreferredHeight()
   at System.Windows.Forms.TextBoxBase.AdjustHeight(Boolean)
   at System.Windows.Forms.TextBox.OnFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.OnParentFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.OnFontChanged(System.EventArgs)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailItemControl.OnFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.set_Font(System.Drawing.Font)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.OnCreateItemControls(Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailItem, System.Windows.Forms.Control)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.AddDetailsGroup(Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsGroup)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.ReinitializeGroups()
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.OnLayout(System.Windows.Forms.LayoutEventArgs)
   at System.Windows.Forms.Control.PerformLayout(System.Windows.Forms.LayoutEventArgs)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.EndUpdate()
   at System.Collections.CollectionBase.Clear()
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsView.DetailsWorkComplete(System.Object, Microsoft.WindowsServerSolutions.Dashboard.Forms.Work.WorkCompleteArgs)

Exception Info: System.Reflection.TargetInvocationException
   at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
   at System.Delegate.DynamicInvokeImpl(System.Object[])
   at System.Windows.Forms.Control.InvokeMarshaledCallbackDo(ThreadMethodEntry)
   at System.Windows.Forms.Control.InvokeMarshaledCallbackHelper(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Windows.Forms.Control.InvokeMarshaledCallback(ThreadMethodEntry)
   at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
   at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
   at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
   at Microsoft.WindowsServerSolutions.Dashboard.Program.Main(System.String[])

Error: (04/14/2018 02:47:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Dashboard.exe, version: 6.3.9600.17393, time stamp: 0x54333ee9
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f33794
Exception code: 0xe0434352
Fault offset: 0x00000000000095fc
Faulting process id: 0x2490
Faulting application start time: 0x01d3d3eea2852b48
Faulting application path: C:\Windows\system32\Essentials\Dashboard.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: f5cb19de-3fe1-11e8-80c4-d05099afe6ef
Faulting package full name:
Faulting package-relative application ID:

Error: (04/14/2018 02:47:15 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Dashboard.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ArgumentException
   at System.Drawing.Font.GetHeight(System.Drawing.Graphics)
   at System.Drawing.Font.GetHeight()
   at System.Drawing.Font.get_Height()
   at System.Windows.Forms.Control.get_FontHeight()
   at System.Windows.Forms.Control.get_FontHeight()
   at System.Windows.Forms.TextBoxBase.get_PreferredHeight()
   at System.Windows.Forms.TextBoxBase.AdjustHeight(Boolean)
   at System.Windows.Forms.TextBox.OnFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.OnParentFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.OnFontChanged(System.EventArgs)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailItemControl.OnFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.set_Font(System.Drawing.Font)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.OnCreateItemControls(Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailItem, System.Windows.Forms.Control)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.AddDetailsGroup(Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsGroup)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.Collections.DetailsGroupCollection.Add(Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsGroup)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsView.DetailsWorkComplete(System.Object, Microsoft.WindowsServerSolutions.Dashboard.Forms.Work.WorkCompleteArgs)

Exception Info: System.Reflection.TargetInvocationException
   at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
   at System.Delegate.DynamicInvokeImpl(System.Object[])
   at System.Windows.Forms.Control.InvokeMarshaledCallbackDo(ThreadMethodEntry)
   at System.Windows.Forms.Control.InvokeMarshaledCallbackHelper(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Windows.Forms.Control.InvokeMarshaledCallback(ThreadMethodEntry)
   at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
   at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
   at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
   at Microsoft.WindowsServerSolutions.Dashboard.Program.Main(System.String[])

Error: (04/14/2018 02:40:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Dashboard.exe, version: 6.3.9600.17393, time stamp: 0x54333ee9
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f33794
Exception code: 0xc000041d
Fault offset: 0x00000000000095fc
Faulting process id: 0x29b4
Faulting application start time: 0x01d3d3eda2f87e2c
Faulting application path: C:\Windows\system32\Essentials\Dashboard.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 13675361-3fe1-11e8-80c4-d05099afe6ef
Faulting package full name:
Faulting package-relative application ID:

Error: (04/14/2018 02:40:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Dashboard.exe, version: 6.3.9600.17393, time stamp: 0x54333ee9
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f33794
Exception code: 0xe0434352
Fault offset: 0x00000000000095fc
Faulting process id: 0x29b4
Faulting application start time: 0x01d3d3eda2f87e2c
Faulting application path: C:\Windows\system32\Essentials\Dashboard.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 114c8744-3fe1-11e8-80c4-d05099afe6ef
Faulting package full name:
Faulting package-relative application ID:

Error: (04/14/2018 02:40:52 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Dashboard.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ArgumentException
   at System.Drawing.Font.GetHeight(System.Drawing.Graphics)
   at System.Drawing.Font.GetHeight()
   at System.Drawing.Font.get_Height()
   at System.Windows.Forms.Control.get_FontHeight()
   at System.Windows.Forms.Control.get_FontHeight()
   at System.Windows.Forms.TextBoxBase.get_PreferredHeight()
   at System.Windows.Forms.TextBoxBase.AdjustHeight(Boolean)
   at System.Windows.Forms.TextBox.OnFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.OnParentFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.OnFontChanged(System.EventArgs)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailItemControl.OnFontChanged(System.EventArgs)
   at System.Windows.Forms.Control.set_Font(System.Drawing.Font)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.OnCreateItemControls(Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailItem, System.Windows.Forms.Control)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.AddDetailsGroup(Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsGroup)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.ReinitializeGroups()
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.OnLayout(System.Windows.Forms.LayoutEventArgs)
   at System.Windows.Forms.Control.PerformLayout(System.Windows.Forms.LayoutEventArgs)
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsPane.EndUpdate()
   at System.Collections.CollectionBase.Clear()
   at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsView.DetailsWorkComplete(System.Object, Microsoft.WindowsServerSolutions.Dashboard.Forms.Work.WorkCompleteArgs)

Exception Info: System.Reflection.TargetInvocationException
   at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
   at System.Delegate.DynamicInvokeImpl(System.Object[])
   at System.Windows.Forms.Control.InvokeMarshaledCallbackDo(ThreadMethodEntry)
   at System.Windows.Forms.Control.InvokeMarshaledCallbackHelper(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Windows.Forms.Control.InvokeMarshaledCallback(ThreadMethodEntry)
   at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
   at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
   at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
   at Microsoft.WindowsServerSolutions.Dashboard.Program.Main(System.String[])

System errors:
=============
Error: (04/14/2018 03:29:43 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Error: (04/14/2018 03:29:43 PM) (Source: Schannel) (EventID: 4106) (User: NT AUTHORITY)
Description: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Error: (04/14/2018 10:24:17 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

Error: (04/14/2018 10:24:17 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

Error: (04/14/2018 04:15:35 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 48.

Error: (04/14/2018 03:08:07 AM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (04/14/2018 02:22:48 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

Error: (04/14/2018 02:22:48 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

==================== Memory info ===========================

Processor: Intel(R) Atom(TM) CPU N2800 @ 1.86GHz
Percentage of memory in use: 70%
Total physical RAM: 4083.48 MB
Available physical RAM: 1184.87 MB
Total Virtual: 4979.48 MB
Available Virtual: 1719.97 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:36.93 GB) (Free:17.3 GB) NTFS

\\?\Volume{cec124d7-b214-11e7-80b5-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.02 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 37.3 GB) (Disk ID: 397C969B)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=36.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

and in the end ADW CLeaner:

Quote

# -------------------------------
# Malwarebytes AdwCleaner 7.1.0.0
# -------------------------------
# Build:    04-12-2018
# Database: 2018-04-11.1
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    04-14-2018
# Duration: 00:00:02
# OS:       Windows Server 2012 R2 Essentials
# Cleaned:  1
# Failed:   0

***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4E82B7F5-6A7D-4BA0-A416-CDB4E4EC58A1}|NameServer - "208.67.220.220,208.67.222.222"

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

 

even after the removal of the threads found from adw cleaner, the problem persist, please osmeone help me.

 

Thanks in advantage to who will take care of that

Addition.txt

AdwCleaner[C00].txt

FRST.txt

mabt.txt

[AdvancedSetup]

Hello @jackfrusciante and

This computer is running Peer 2 Peers software for sharing data between unknown, unsecure other computer around the World which is highly discouraged on a home computer and unheard of to run on a server.

qBittorrent 3.3.16 (HKLM-x32\...\qBittorrent) (Version: 3.3.16 - The qBittorrent project)

It is compromised with a potential rootkit.

My advice would be to format the drive and reinstall Windows and recover your data from backup as this server can never be trusted again to be secure for users.

Thank you

Ron

 

 

[jackfrusciante]

Thanks for the reply, I think your solution surely will work but it look like a bit extreme, maybe check the drive with another antirootkit... Anyway in the meanwhile I played a bit with firewall settings and lsass.exe restarted to work normally. So if I well understand from the logs are not evidencies of a rootkit or a malwareantibytes running on my machine, right? In this case someone can suggest another software to do another check?  Otherwise to me it is fine this way

[AdvancedSetup]

The issue is it's a server. Not saying you might be able to clean it, but that you're putting user data and business at risk. If you're not ready for Disaster Recovery I'd highly suggest you set up a business plan for Disaster Recovery to ensure the long-term viability of quickly recovering from things like this.

Please follow the directions in the following topic

Thanks

Ron

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks